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Offensive Python ? 


Network Pivoting 


VolP 基 本 知识 
— SIP, RTP 
一 安全 相关 : TLS, SRTP 


复原 /解密 VolP 通 话 


目前 已 有 的 开源 工具 及 其 问题 


VolPShark 

- 架构 及 内 部 原理 
一 分 析 VolP 流 量 
- 复原 通话 

- RIRE I 
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VolP 电 话 通讯 


。 信 令 + 媒体 


SIP Server 
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信 令 协议 


SIP (会 话 初 始 协议 ) 

° |ЕТЕ ДЕ 

° 蔡 代 固 话 及 PSTN( 公 共 电 话 交 换 网 络 ) 
H.323 

° ITU-T 制 定 


° 主要 为 视频 会 议 制定 ， 也 用 于 语音 通话 


SCCP (EF W) 
° 用 于 电话 线路 侧 控制 的 思科 专 有 协议 
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zx i) tx 


。 基于 文本 的 协议 

° 应 用 
一 使 用 其 它 媒体 流 的 通话 (语音 、 视 频 )， 如 RTP 
一 使 用 SIP 协 议 的 “Message' 方法 发 送 文本 消息 

° 与 其 它 协 议 协同 工作 

° 会 话 描述 协议 (SDP) 定义 媒体 协调 和 设置 过 程 

° 可 在 TCP, UDP 或 SCTP ( 流 控制 传输 协议 ) 上 工作 

° 安全 性 由 TLs (安全 传输 层 协议 ) 提供 ， 如 SIP over TLS 
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订阅 , 发 布 和 通告 


一 
| 
| = 


User/Device Subscription Broker Service 
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会 话 初 始 协议 : 通话 过 程 示例 


. 


INVITE 


100 Trying 


180 Ringing 


200 OK 


АСК ж 


«4— — media —ъ 


ВҮЕ 


用 户 代 理 服 务 (UAS) BH DS 
8212 founding 


open source communit y 


www.sipfoundry.org 
OX 


2 elastix Е FréeSWITCH 


Asterisk 


www.asterisk.or 


FREEDOM TO COMMUNICATE 


freeswitch.org 
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基于 IP 的 电话 服务 


可 选 软件 


— Zoiper 


— XLite 


— LinPhone 


— MicroSIP 
选择 软 电话 客户 端 需 考虑 的 因素 


eG Aa EOS SERE 
是 否 可 以 加 密 (尤其 是 免费 版 ) 


HEBE 


(如 : 文本 消息 、 挂 起 、 


13) 
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www.microsip.org 


www.counterpath.com/x-lite-download WWVW.zoiper.com 


© 


www.linphone.org “е Ж 


WWW.3cx.com 


Asterisk 
„ани = + 


Y FreePBX. 
"Ww _ let freedom ring” 
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Bob 
User ID: 1111 
Password: abc_123321 


Scenario 


Asterisk Now Server 


Alice 
User ID: 2222 
Password: 123321 


192.168.20.132 


192.168.20.130 
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192.168.20.1 


“ SIP + RIP 


e SIP over TLS + RTP 


° SIP + SRIP 


e SIP over TLS + SRTP 
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e SIP + ВТР 


e SIP over TLS + КТР 


° SIP+SRTP 


e SIP over TLS + SRTP 
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SIP/SDP 213% BJ 


File Edit View Со Capture Analyze Statistics Telephony Wireless Tools Help 


Ансәкгвесе«еәжже =ааак 


2 v| Expression | + 


Time Source Destination Protocol Length Ta Info 
34 17.478218 192.168.20.132 192.168.20.130 SIP/SDP 1374 Request: INVITE sip:2222@192.168.20.130 | 
37 17.598013 192.168.20.130 192.168.20.1 SIP/SDP 1089 Request: INVITE sip:22220192.168.20.1:52987;ob | 
71 22.145095 192.168.20.1 192.168.20.130 5ІР/5рР 1014 Status: 200 OK 
74 22.150650 192.168.20.130 192.168.20.132  SIP/SDP 1046 Status: 200 OK | 
78 22.158359 192.168.20.132 92.168.20.130  SIP/SDP 919 Request: UPDATE sip:192.168.20.130:5060 | 


Frame 71: 1014 bytes on wire (8112 bits), 1014 bytes captured (8112 bits) 
Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware f8:0d:44 (00:0c:29:f8:0d:44) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 52987, Dst Port: 5060 
Session Initiation Protocol (200) 
> Status-Line: SIP/2.0 200 OK 
> Message Header 
Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): 0 
> Owner/Creator, Session Id (о): - 3731351734 3731351735 IN IP4 192.168.5.103 
Session Name (s): pjmedia 
Bandwidth Information (b): AS:84 
Time Description, active time (t): 6 0 
> Session Attribute (a): X-nat:0 
> Media Description, name and address (m): audio 4000 RTP/AVP e 101 
> Connection Information (c): IN IP4 192.168.5.103 
> Bandwidth Information (b): TIAS:64000 
| Media attribute (s): PECpid001 IN 1P4 192.168.5.103 - 
Media Attribute (a): sendrecv 
> Media Attribute : rtpmap:@ 
> Media Attribute : rtpmap:101 telephone-event/8000 


File 


Edit 


View Go 


Capture 


Analyze 


RTCP 数 据 包 


Statistics 


Telephony 


Wireless 


Tools 


LOL ARAR e» ECKE H = ааа 


Help 


Time 
2170 32.479679 
3108 37.158822 
3109 37.158934 
3136 37.287057 
3207 37.640101 


Source 
192.168.20.1 
192.168.20.130 
192.168.20.130 
192.168.20.132 
192.168.20.1 


Destination 
192.168.20.130 
192.168.20.1 
192.168.20.132 
192.168.20.130 
192.168.20.130 


Protocol 


Length 
122 


Ta Info 
Sender 
Sender 
Sender 
Sender 
Sender 


Report 
Report 
Report 
Report 


Source description 
Source description 
Source description 
Source description 
Source description 


Frame 3108: 106 bytes on wire (848 bits), 106 bytes captu sed (848 bits) 
Ethernet II, Src: Vmware f8:0d:44 (00:0c:29:f8:0d:44), Dst: Vmware_c0:00:08 (00:50:56:c0:00:08) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.1 
User Datagram Protocol, Src Port: 15675, Dst Port: 4001 
Real-time Transport Control Protocol (Sender Report) 


[Stream setup by SDP (frame 37)] 


10.. 
--9. 


.0 0001 


2... = Version: RFC 1889 Version (2) 
.... = Padding: False 
= Source count: 1 


Packet type: Source description (202) 
Length: 2 (12 bytes) 
Chunk 1, SSRC/CSRC 0x3C988166 


Identifier: 0x3c988166 (1016627558) 


4 


SDES items 


Type: CNAME (user and domain) (1) 


Length: 6 


Type: END (0) 
[RTCP frame length check: OK - 64 bytes] 
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^ Complete normal call.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Нер 


4 m © | SC Q € = 
Expression... + torrent сі 


Time Source inati Protocol Length Ta Info 
3103 37.140222 192.168.20.1 192.168.20.130 RTP 214 PT=ITU-T G.711 PCMU, SSRC=0x294823, Seq-5909, Time=120000 
3104 37.141062 192.168.20.130 192.168.20.132 RTP 214 PT=ITU-T G.711 PCMU, SSRC=@xAFD8AB5, Seq=21275, Time=120000 
3105 37.143728 192.168.20.132 192.168.20.130 RTP 214 PT=ITU-T 6.711 РСМИ, SSRC=0x43572C47, Seq-30108, Time=120000 
3106 37.144098 192.168.20.130 192.168.20.1 RTP 214 PT=ITU-T G.711 PCMU, SSRC-0x3C988166, Seq-26401, Time-120000 
3110 37.160340 192.168.20.1 192.168.20.130 RTP 214 PT=ITU-T G.711 PCMU, SSRC-0x294823, Seq-5910, Time-120160 


Frame 3106: 214 bytes on wire (1712 bits), 214 bytes caplyred (1712 bits) 

Ethernet II, Src: Vmware_f8:0d:44 (00:0c:29:f8:0d:44), Dst: Vmware_c0:00:08 (00:50:56:c0:00:08) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.1 

User Datagram Protocol, Src Port: 15674, Dst Port: 4000 


[Stream setup by SDP (frame 37)] 
Version: RFC 1889 Version (2) 
Padding: False 
Extension: False 
Contributing source identifiers count: 0 
— Marker: False 
Payload type: ITU-T G.711 PCMU (0) 
Sequence number: 26401 
[Extended sequence number: 91937] 
Timestamp: 120000 
Synchronization Source identifier : 0х3с988166 ( 1016627558) 
Payload: 5f5f606265696b6c6e70777b7d7d7e7d7a797efaf8fb7e7d... 
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Start Time Stop Time Initial Speaker From 


Protocol Duration Packets State Comments 


[ | Time of Day 
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192.168.20.132 192.168.20.1 
192.168.20.130 


| | 
17.478218 58655 ¡INVITE SDP (opus g711A g711U telephon... 5060 


Time Comment 


SIP INVITE From: <sip:1111@192.168.20.130 To:... 


17.485438 58655 pe— Ting 5060 SIP Status 100 Trying 


I 
| 
| 
| 
i 
17.597307 58655 | gorngng | 5060 | SIP Status 180 Ringing 


17.598013 5060 SDP (97110 g711A GSM 6726-32 t. 52987 SIP INVITE From: "Bob" <sip:1111@192.168.20.1... 


17.603920 5060 L wom | 52987 SIP Status 100 Trying 


| 
17.604301 5060 — | 52987 SIP Status 180 Ringing 
17.605610 58655 je——————_190 Ringing 5066 | SIP Status 180 Ringing 
22.145095 5060 | 200 ok SDP (97110 telephone-event) | 52987 SIP Status 200 OK 


22.148286 5060 | x | 52987 SIP Request INVITE ACK 200 CSeq:28747 


Lon OK SDP (47110 g711A mel 


22.150650 nan ETAT SIP Status 200 OK 


22.158359 58655 | UPDATE SDP (07110 telephone-event) | 5060 


SS SS EE ИЯ 


| 
22.156664 58655 — SEN 5060 | SIP Request INVITE ACK 200 CSeq:20778 
| SIP UPDATE From: <sip:1111@192.168.20.130 To.. 


22.160190 | 15674 втру) | 4000 RTP, 830 packets. Duration: 16.581s SSRC: 0x294... 
| 


22.160191 4000 | rra) | 16912 


22 161608 58655 | 200 OK SDP (g711U telephone-event) | 5060 


RTP, 830 packets. Duration: 16.581s SSRC: OxAFD.. 
SIP Status 200 OK 


22.161703 4000 RP (97110) 16912 RTP, 830 packets. Duration: 16.588s SSRC: 0x435... 


38.751436 58655| BE ej 5060 SIP Request BYE CSeq:20780 


200 OK 


38.752328 58655 ——  5— — n  . . 5060 SIP Status 200 OK 


| 
| 
| 
| 
| 
| 
22.162308 15674 RTP (g711U | 4000 RTP, 830 packets. Duration: 16.5895 SSRC: 0x3C9... 
| 
| 
| 
| 
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22.5 25 27.5 30 32.5 37.5 


Sample Rate (Hz) Payloads 


Setup Fraie Packets Time Span (s) 
22.2 - 38.8 (16.6) 8000 g711U 
830 22.2 - 38.7 (16.6) 8000 47110 


Destination Port 55КС 
16912 0x43572c47 78 830 
4000 OxOafd8ab5 78 


Source Address Source Port Destination Address 


192.168.20.132 4000 192.168.20.130 
192.168.20.130 16912 192.168.20.132 


Output Device: Speakers (Realtek High Definition Audio) 


Playback Timing: Jitter Buffer |_| Time of Day 
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v. SIP + RIP 


e SIP over TLS + RIP 


e SIP + SRTP 


e SIP over TLS + SRTP 
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任 SDP 效 据 包 中 传输 SRTP 窗 和 


File Edit Мем Go Capture Analyze Statistics Telephony Wireless Tools Help 
PEPINA IETT ETI ON. o = 
ТЕСЕ 


Тіте Source Destination Protocol Length Ta Info 


128 27.128753 192.168.20.132 192.168.20.130  SIP/SDP 278 Request: INVITE sip:2222@192.168.20.130 | 
131 27.301506 192.168.20.130 192.168.20.1 SIP/SDP 1174 Request: INVITE sip:2222@192.168.20.1:60168;ob | 


178 29.314263 192.168.20.130 192.168.20.132 . SIP/SDP 1131 Status: 200 OK | 


Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 60168, Dst Port: 5060 
Session Initiation Protocol (200) 

Status-Line: SIP/2.0 200 OK 

> Message Header 
4 Message Body 

4 Session Description Protocol 

Session Description Protocol Version (v): e 
> Owner/Creator, Session Id (о): - 3730471310 3730471311 IN IP4 192.168.5.114 

Session Name (s): pjmedia 

Bandwidth Information (b): AS:84 

Time Description, active time (t): ее 

Session Attribute (a): X-nat:0 
> Media Description, name and address (m): audio 4000 RTP/SAVP e 101 
> Connection Information (c): IN ІР4 192.168.5.114 
› Bandwidth Information (b): TIAS:64000 
> Media Attribute (a): rtcp:4001 IN ІР4 192.168.5.114 

Media Attribute (a): sendrecv 
> Media Attribute (a): rtpmap:@ PCMU/8000 
> Media Attribute (a): rtpmap:101 telephone-event/8000 
> Media Attribute (a): fmtp:101 0-16 
> Media Attribute (a): ssrc:965767637 cname:66bf37b000942b74 
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File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Нер 


AIR REG en Er SERRE 


á 


H 


Normal Call two parties.pcap 


Time Source Destination Protocol 


一 一 一 一 一 一 -一 一 一 一 一 一 一 一 一 


j 


Info 


Expression... + torrent cleanup_own_ssid cleanup_probe 


5 29.354843 192.168.20. 192.168.20.130 SRTP 
29.355005 192.168.20.130 192.168.20.1 SRTP 
29.372665 192.168.20. 192.168.20. SRTP 
29.372952 192.168.20. 192.168.20. SRTP 
29.375160 192.168.20. 192.168.20. SRTP 

200 29.375356 192.168.20. 192.168.20. SRTP 
204 29.393539 192.168.20. 192.168.20. SRTP 
205 29.393821 192.168.20. 192.168.20. SRTP 
206 29.395768 192.168.20. 192.168.20. SRTP 


PT-ITU-T 
PT=ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 


SSRC=0x15BD2F81, 
, SSRC=0X4EFA778B, 
SSRC-0x399071D5, 
SSRC-0x60542655, 
SSRC-0x15BD2F81, 
SSRC=0x4EFA778B, 
SSRC-0x399071D5, 
SSRC=0x60542655, 


55КС-Өх15В02Ғ81, 


Seq=15576, Time=320 | 
Seq=4650, Time=320 
Seq=25653, Time=640 
Seq-16570, Time=640 
Seq=15577, Time=480 
Seq-4651, Time=480 
Seq=25654, Time=800 
Seq=16571, Time=800 
Seq=15578, Тіте-640 


Frame 195: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 17786 

Real-Time Transport Protocol 
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A 


31.5 33 


Wireshark - RTP Player 


34.5 36 37.5 


о Jitter Drops 
o Wrong Timestamps 


Inserted Silence 


39 


Source Address 


192.168.20.132 
192.168.20.130 


Source Port Destination Address 


4000 192.168.20.130 
17786 192.168.20.132 


Destination Port 


17786 
4000 


SSRC Packets Time Span (s) 
0x15bd2f81 182 516 
0x60542655 182 520 


Setup Frame Sample Rate (Hz) 


29.3 - 39.7 (10.4) 8000 
29.3 - 39.7 (10.4) 8000 


Payloads 


g/11U 
47110 


> D Output Device: Speakers (Realtek High Definition Audio) 


Jitter Buffer: 50 5 


Playback Timing: Jitter Buffer 


[ | Time of Day 
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v. SIPSERIP 


e SIP over TLS + RTP 


° SIP SRIP 


e СІР over TLS + SRTP 
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File 


LI 
No. 


从 


Edit 


Capture Analyze Statistics Telephony 


View Со 
DECKER EK + Е 


Wireless Tools Help 


а аа = 


Protocol Length 


Ta Info 
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TLS = (SIP over TLS) 


А Normal Call two parties.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


A m : 9 } SEO ee ges | = ao eo 


No. Time АУ Source Destination Protocol Length Ta Info A 
.011835 192.168.20.132 .168.20.130 TLSv1 253 Client Hello 

.016672 192.168.20.130 .168.20.132  TLSv1 1246 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hell. 
.020041 192.168.20.132 .168.20.130  TLSvi 200 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 
.020930 192.168.20.130 .168.20.132  TLSv1 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 

.Ө21214 192.168.20.132 .168.20.130 TLSv1 784 Application Data, Application Data 

.021727 192.168.20.130 .168.20.132  TLSv1 688 Application Data, Application Data 

.022063 192.168.20.132 .168.20.130  TLSv1 1088 Application Data, Application Data 

.025192 192.168.20.130 .168.20.132  TLSv1 656 Application Data, Application Data 

.076523 192.168.20.130 .168.20.132  TLSv1 1370 Application Data, Application Data, Application Data, Application Data 

.076842 192.168.20.132 .168.20.130 TLSv1 928 Application Data, Application Data 

.117462 192.168.20.132 .168.20.130  TLSv1 512 Application Data, Application Data 


10 
11 
12 
14 
15 
17 


o o o o o o o o o o o 


Frame 4: 253 bytes on wire (2024 bits), 253 bytes captured (2024 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

Transmission Control Protocol, Src Port: 49484, Dst Port: 5061, Seq: 1, Ack: 1, Len: 199 
Secure Sockets Layer 
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File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


АндгексСкечзезжіжзі іе ааа 
N 


Destination Protocol Length Ta Info 
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` ` PL `5 ЕЗ. 
为 什么 没有 RTP 流 量 ? 
°  WiresharkdBi 1 SDPZAGE ELIF £l RTP/SRTP7fit Um 5 
° SIP 和 SDP 被 加 密 , 故 wireshark 无 法 得 知 端口 号 


14 23.132688 192.168.20.130 192.168.20.1 RTCP 86 Receiver Report Source description 

15 23.630139 192.168.20.132 192.168.20.130 SIP/SDP 1079 Request: INVITE sip:1111@192.168.20.130 | 
16 23.631114 192.168.20.130 192.168.20.132 SIP 605 Status: 401 Unauthorized | 

17 23.633029 192.168.20.132 192.168.20.130 SIP 420 Request: АСК sip:1111@192.168.20.130 | 


Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 63214, Dst Port: 5060 

Session Initiation Protocol (INVITE) 
> Request-Line: INVITE sip:1111@192.168.20.130 SIP/2.0 

Message Header 

Message Body 

4 Session Description Protocol 

Session Description Protocol Version (v): ё 
> Owner/Creator, Session Id (о): - 3730467468 3730467468 IN IP4 192.168.20.132 


Session Name (s): pjmedia 
Bandwidth Information (b): AS:84 
> Time Description, active time (t): ё 6 
> Session Attribute (a): X-nat:0 
Media Description, name and address (m): audio 4004 RTP/AVP 123 8 0 101 


Media e audio 


Media Format: DynamicRTP-Type-123 
Media Format: ITU-T G.711 PCMA 
Media Format: ITU-T G.711 PCMU 
Media Format: DynamicRTP-Type-101 
> Connection Information (c): IN IP4 192.168.20.132 
» Bandwidth Information (b): TIAS:64000 
> Media Attribute (a): rtcp:4005 IN IP4 192.168.20.132 


未 解码 的 RTP 流 量 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
IOC EECHER EK Ц 
e Apply a display filter . <Ctrl-/> 


Time Source inati | Length Ta Info 
661 23.884012 192.168.20.130 .168.20.132 214 17430 > 4000 Len=172 
662 23.903032 192.168.20.132 .168.20.130 214 14900 > 17430 Len=172 
663 23.903302 192.168.20.130 .168.20.1 214 16374 > 4000 Len=172 
664 23.904066 192.168.20.1 .168.20.130 214 4000 > 16374 Len=172 
665 23.904167 192.168.20.130 .168.20.132 214 17430 > 4000 Len=172 
666 23.923545 192.168.20.132 .168.20.130 214 4000 > 17430 Len=172 
667 23.923824 192.168.20.130 .168.20.1 214 16374 > 4000 Len=172 
668 23.924438 192.168.20.1 .168.20.130 214 4000 > 16374 Len=172 
669 23.924589 192.168.20.130 .168.20.132 214 17430 > 4000 Len-172 
670 23.943786 192.168.20.132 .168.20.130 214 4000 > 17430 Len=172 
671 23.944063 192.168.20.130 .168.20.1 214 16374 > 4000 Len=172 


Frame 662: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 


Data (172 bytes) 


OPentesterAcademy.com 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
SCHER EK ZEISS ЕПСЕСЕСЕ:: 


Apply a display filter .… <Ctrl-/> 


Time Source Destination Protocol Length Ta Info 
661 23.884012 192.168.20.130 192.168.20.132 UDP 214 17430 > 4000 Len=172 
662 23.903032 192.168.20.132 192.168.20 122 mp 014. ABBA. 17420 141-172 
663 23.903302 192.168.20.130 192.168.280 Mark/Unmark Packet Ctrl+M n=172 
664 23.904066 192.168.20.1 192.168.208 Ignore/Unignore Packet Ctrl+D n=172 
665 23.904167 192.168.20.130 192.168.208 Set/Unset Time Reference Ctrl+T n=172 
666 23.923545 192.168.20.132 192.168.208 Time Shift... CtrleShifteT |П-172 
667 23.923824 192.168.20.130 192.168.20 Pop S EE Ctrl+Alt+C n=172 
668 23.924438 192.168.20.1 192.168.260 n=172 
669 23.924589 192.168.20.130 192.168.268 Edit Resolved Name n=172 
670 23.943786 192.168.20.132 192.168.260 n=172 
671 23.944063 192.168.20.130 192.168.208 Apply as Filter n=172 
Prepare a Filter 


Frame 662: 214 bytes on wire (1712 bits), 214 bytes captured 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: V 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.16 Colorize Conversation 
User Datagram Protocol, Src Port: 4000, Dst Port: 17430 SCTP 
Data (172 bytes) Follow 


Conversation Filter 


Copy 


0000 00 Өс 29 ab bi 84 00 Oc 29 6f 87 (46 08 00 45 00 
0010 600 c8 5b de 00 ee 80 11 00 00 cO a8 14 84 cO a8  ..[.... Show Packet in New Window 


asa A 


ФР. AL А 
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解码 为 RTP 


Wireshark - Decode As... 


OPentesterAcademy.com 


4 Normal_Call_two_parties.pcap 
File Edit View Со Capture Analyze Statistics Telephony Wireless Tools Help 


A P 9 k SC Q € = Фә = eo e E 


Expression... + torrent clea 


Source Destination Protocol Length Ta Info 

653 .843404 192.168.20. 192.168.20. 214 PT=ITU-T 
654 .862647 192.168.20. 192.168.20. 214 PT=ITU-T 
655 .863368 192.168.290. 192.168.290. 214 PT=ITU-T 
656 .863618 192.168.20. 192.168.20. 214 PT=ITU-T 
657 .863759 192.168.20. 192.168.20. 214 PT=ITU-T 
658 .882829 192.168.20. 192.168.20. 214 PT=ITU-T 
659 .883135 192.168.20. 192.168.260. 214 PT=ITU-T G.711 SSRC-0x5B7C483D, Seq-10393, Time=21760 
660 .883902 192.168.20. 192.168.20. 214 PT=ITU-T G.711 SSRC=0x294823, Seq-14718, Time=21760 

661 .884012 192.168.20. 192.168.20. 214 PT=ITU-T G.711 SSRC-0x47A214A7, Seq-26412, Time-21760 
662 .903032 192.168.20. 192.168.260. 214 PT=ITU-T G.711 SSRC=0x32D417E6, Seq-29495, Time=21920 
663 .903302 192.168.209. 192.168.20.1 214 PT=ITU-T G.711 SSRC=0x5B7C483D, Seq-10394, Тіте-21920 


.711 SSRC=0x47A214A7, Seq=26410, Time=21440 
211 SSRC-0x32D417E6, Seq-29493, Time-21600 
.711 SSRC=0x5B7C483D, Seq-10392, Time=21600 
4741 SSRC-0x294823, Seq-14717, Time=21600 

«411 SSRC=0x47A214A7, Seq=26411, Time=21600 
27421 SSRC=0x32D417E6, Seq=29494, Time=21760 


G Су Oo Су Су Су Су СУ 


Frame 662: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware_ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 17430 

Real-Time Transport Protocol 


OPentesterAcademy.com 


4 Normal_Call_two_parties.pcap 
File Edit Мем Со Capture Analyze Statistics Wireless Tools Help 


A m © i SC Q € = = v VolP Calls 


ANSI ooo ë) Expression... + torrent de 


GSM F 
Time Source Length Ta Info 


IAX2 Stream Analysis 
23.843404 192.168.20. 214  PT=ITU-T 
23.862647 192.168.20. mem 214  PT-ITU-T 
23.863368 192.168.20. LTE 214  PT-ITU-T 
23.863618 192.168.260. MTP3 214  PT=ITU-T 
23.863759 192.168.260. Osmux 214  PT=ITU-T 
23.882829 192.168.20. 
23.883135 192.168.20. 
23.883902 192.168.20. 
23.884012 192.168. 20. 
23.903032 192.168.20. 


.711 РСМИ, SSRC-0x47A214A7, Seq-26410, Time-21440 
.711 PCMU, SSRC=0x32D417E6, Seq=29493, Time=21600 
„711 PCMU, SSRC=0x5B7C483D, Seq-10392, Time=21600 
.711 РСМИ, SSRC=0x294823, Seq-14717, Time-21600 

.711 PCMU, SSRC-0x47A214A7, Seq-26411, Time=21600 
.711 PCMU, SSRC-0x32D417E6, Seq-29494, Time-21760 
.711 PCMU, SSRC=0x5B7C483D, Seq=10393, Time=21760 
.711 PCMU, SSRC=0x294823, Seq=14718, Time=21760 

.711 PCMU, SSRC=0x47A214A7, Seq-26412, Time=21760 
.711 PCMU, SSRC-0x32D417E6, Seq-29495, Time=21920 
.711 PCMU, SSRC-0x5B7C483D, Seq-10394, Time-21920 


RTSP 
SCIP 
SMPP Operations | 


00000000000 


23.903302 192.168.260. UCP Messages 
H.225 f 


Frame 662: 214 bytes on wire (1712 bits), 214 SIP Flows 
Ethernet II, Src: Vmware_6f:87:d6 (00:0c:29:6f % (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.1 SIP Statistics 

User Datagram Protocol, Src Port: 4000, Dst Po WAP-WSP Packet Counter 
Real-Time Transport Protocol 
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192.168.20.132:4000 => 
192.168.20.130:17430 


Forward 


SSRC 0x32d417e6 

Max Delta 23.37 ms (à 989 
MaxJitter 1.49 ms 

Mean Jitter 0.87 ms 
MaxSkew 40.44 ms 

RTP Packets 529 

Expected 529 

Lost 0 (0.00 96) 

Seq Errs 0 

Start at 21.201381 5 @ 108 
Duration 10.52 5 

Clock Drift -1030 ms 

Freq Drift 7217 Hz (-9.79 96) 
Reverse 
SSRC 0x47a214a7 

Max Delta 24.31 ms @ 180 
Max Jitter 1.32 ms 

Mean Jitter 0.77 ms 

Max Skew 30.31 ms 

RTP Packets 524 

Expected 524 

Lost 0 (0.00 96) 

Seq Errs 0 

Start at 21.269697 s @ 125 
Duration 10.44 5 

Clock Drift -1053 ms 

Freq Drift 


Forward to reverse 
start diff 0.068316 s @ 17 
2 streams found. 


分 析 RTP 流 


Forward | Reverse | Graph 


7193 Hz (-10.09 %) | 


2251 
2243 
2239 
2235 
2231 
2227 
2223 
2220 
2215 
2211 
2207 
2203 
2199 
2195 
2192 
2189 
2185 
2181 
2177 
2173 
2169 
2165 
2161 
2157 
2153 
2148 
2144 
2138 


29887 
29886 
29885 
29884 
29883 
29882 
29881 
29880 
29879 
29878 
29877 
29876 
29875 
29874 
29873 
29872 
29871 
29870 
29869 
29868 
29867 
29866 
29865 
29864 
29863 
29862 
29861 
29860 


19.69 
20.15 
19.34 
20.26 
20.45 
21.64 
20.32 
20.62 
19.74 
20.82 
20.61 
19.69 
21.34 
19.44 
10.54 
19.78 
20.10 
21.17 
19.93 
19.89 
19.92 
21.24 
19.81 
20.05 
19.65 
20.66 
19.06 
18.90 


| [Sket Sequence Delta (ms) Jitter (ms) 


0.80 
0.84 
0.88 
0.90 
0.94 
0.97 
0.93 
0.97 
0.99 
1.04 
1.06 
1.09 
1.14 
132 
1.16 
0.61 
0.63 
0.67 
0.64 
0.67 
0.71 
0.75 
0.72 
0.76 
0.81 
0.84 
0.85 
0.84 


Skew Bandwidth Marker 
35.78 81.60 
35.47 81.60 
35.63 81.60 
34.96 81.60 
35.22 81.60 
35.67 81.60 
37.30 81.60 
37.62 81.60 
38.25 81.60 
37.99 81.60 
38.81 81.60 
39.42 81.60 
39.11 81.60 
40.44 81.60 
39.89 81.60 
30.43 80.00 
30.21 80.00 
30.31 80.00 
31.48 80.00 
31.41 80.00 
31.30 80.00 
31.22 80.00 
32.46 80.00 
32.28 80.00 
32.33 80.00 
31.98 80.00 
32.64 80.00 
31.70 80.00 


Status 


ES 


лы EURO сық ie bh XE EIE S SS 
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播放 RTP 流 


Wireshark - RTP Player 


hi 


22.5 24 25.5 27 28.5 30 


Source Address Source Port Destination Address Destination Port 55КС Setup Frame Packets Time Span (s) Sample Rate (Hz) Payloads 


192.168.20.1 4000 192.168.20.130 16374 0x00294823 4294967295 528 21.2 - 31.7 (10.5) 8000 g/11U 
192.168.20.130 16374 192.168.20.1 4000 Ox5b7c483d 4294967295 524 21.3 - 31.7 (10.4) 8000 97110 


> Di] Output Device: Speakers (Realtek High Definition Audio) = 


Jitter Buffer: 50 = Playback Timing: Jitter Buffer |_| Time of Day 
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v. SIP + RIP 


e SIP over TLS + RIP 


° SIP 4 SRIP 


e СІР over TLS + SRTP 
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TLS 蜜 钥 人 交换 方法 


TLS 使 用 对 称 加 密 算法 (如 AES, Blowfish) 加 密 数 据 
° 两 种 可 行 方法 


— DHE (Diffie Hellman 密 钥 交换 ) 
— RSA ( 非 对 称 加 密 ) 


OPentesterAcademy.com 


Diffie Hellman 密 钥 交 换 


假设 


° 攻击 者 即使 看 到 交换 过 程 也 无 法 猜测 原始 颜色 


ы 攻击 者 可 以 看 到 = Public transport e 
um Б 


ENSERES TT Z ERES 


Common paint 


Secret colours 


Public transport 


. 


(assume that 
mixture 
separation 
is expensive) 


Secret colours 


More on: en.wikipedia.org/wiki/Diffie96E296809693Hellman key exchange 


Common secret 


TI 000. 


= 
= 
= 
= 
= 
B 
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RSA ( 非 对 称 加 密 ) 


Plaintext A Plaintext 
СС“ ————————- 


Sender Recipient 


Different keys are used to 
encrypt and decrypt message 


c= 9 EN © 


ox тр Recipient's 
Public Key Private Key 
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° 无 法 通过 监听 流量 恢复 ECDHE/DHE 派 生 的 密 铂 


° 对 于 RSA， 获 取 到 服务 器 私 钥 即 可 解密 流量 
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ТІ5 Её (SIP over TLS) 


А Normal Call two parties.pcap 
File Edit View (бо Capture Analyze Statistics Telephony Wireless Tools Help 


4 m © 上 яо Q € = = + © a à a 


LE | 


No. Time к Source Destination Protocol Length Ta Info 
15 10.172139 192.168.20.132 .168.20.130 TLSv1 253 Client Hello 
18 10.177721 192.168.20.130 .168.20.132  TLSv1 1246 Server Hello, Certificate, Server Key Exchange, Certificate Request, 
19 10.181390 192.168.20.132 .168.20.130  TLSv1 200 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Hands 
20 10.182741 192.168.20.130 .168.20.132  TLSv1 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 
21 10.183127 192.168.20.132 .168.20.130 TLSv1 784 Application Data, Application Data 
22 10.183904 192.168.20.130 .168.20.132  TLSv1 688 Application Data, Application Data 
23 10.184221 192.168.20.132 .168.20.130  TLSv1 1088 Application Data, Application Data 
24 10.187834 192.168.20.130 .168.20.132  TLSv1 656 Application Data, Application Data 
26 10.237912 192.168.20.130 .168.20.132  TLSv1 1370 Application Data, Application Data, Application Data, Application Dat 
27 10.238220 192.168.20.132 .168.20.130  TLSv1 928 Application Data, Application Data 
29 10.277703 192.168.20.132 .168.20.130 TLSv1 512 Application Data, Application Data 


Frame 15: 253 bytes on wire (2024 bits), 253 bytes captured (2024 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

Transmission Control Protocol, Src Port: 49532, Dst Port: 5061, Seq: 1, Ack: 1, Len: 199 
Secure Sockets Layer 


OPentesterAcademy.com 


File Edit Мем Go Capture Analyze Statistics Telephony Wireless Tools | Help 


диссо пяе Q fe $ |а aag 


+ torrent  deanup_own_ssid 


Time Source Destination Protocol Length Ta Info 
10.172139 192.168.20.132 192.168.20.130 TLSv1 253 Client Hello 
10.177721 192.168.20.130 192.168.20.132 TLSv1 1246 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hell... 
10.181390 192.168.20.132 192.168.20.130  TLSv1 200 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 
10.182741 192.168.20.130 192.168.20.132  TLSv1 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 

10.183127 192.168.20.132 192.168.20.130  TLSv1 784 Application Data, Application Data 

10.183904 192.168.20.130 192.168.20.132 TLSv1 688 Application Data, Application Data 

10.184221 192.168.20.132 192.168.20.130  TLSvi 1088 Application Data, Application Data 

10.187834 192.168.20.130 192.168.20.132 TLSv1 656 Application Data, Application Data 

10.237912 192.168.20.130 192.168.20.132  TLSv1 1370 Application Data, Application Data, Application Data, Application Data 


Frame 19: 200 bytes on wire (1600 bits), 200 bytes captured (1600 bits) 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 
Transmission Control Protocol, Src Port: 49532, Dst Port: 5061, Seq: 200, Ack: 1193, Len: 146 
Secure Sockets Layer 
TLSv1 Record Layer: Handshake Protocol: Certificate 
4 TLSv1 Record Layer: Handshake Protocol: Client Key Exchange 
Content Type: Handshake (22) 
Version: TLS 1.0 (0x0301) 
Length: 70 
Handshake Protocol: Client Key Exchange 
Handshake Type: Client Key Exchange (16) 
Length: 66 


TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec 
TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message 
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File Edit View Со Capture Analyze Statistics Telephony Wireless Tools Help 


£ ma@ xm 8 аа es Er LÉ = ааа = 
A Apply a display filter ... <Ctrl-/> 


Source Destination Protocol Length Ta Info 
714 .046522 192.168.20.130 192.168.20.1 224 13288 > 4000 Len=182 
715 .049044 192.168.20.1 192.168.20.130 224 4000 > 13288 Len=182 
716 .049234 192.168.20.130 192.168.20.132 224 13408 > 4000 Len=182 
717 .066609 192.168.20.132 192.168.20.130 224 4000 > 13408 Len=182 
718 .067006 192.168.20.130 192.168.20.1 224 13288 > 4000 Len=182 
719 .079392 192.168.20.1 192.168.20.130 224 4000 > 13288 Len=182 
720 .079609 192.168.20.130 192.168.20.132 224 13408 > 4000 Len=182 
721 .086695 192.168.20.132 192.168.20.130 224 4000 > 13408 Len=182 
722 .087313 192.168.20.130 192.168.20.1 224 13288 > 4000 Len=182 
723 .089180 192.168.20.1 192.168.20.130 224 4000 > 13288 Len=182 


Frame 719: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 13288 

Data (182 bytes) 
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File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


шло пяе а еә» е Ф Ll ааа ts 


и Apply а display filter ... <Сігі-/> 


Time Source inati Protocol Length Ta Info 
714 103.046522 192.168.20.130 UDP 224 13288 > 4000 1еп=182 
715 103.049044 192.168.20.1 .168. Mark/Unmark Packet Ctrl+M en=182 
716 103.049234 192.168.208.130 Ignore/Unignore Packet Ctrl+D en=182 
717 103.066609 192.168.20.132 192.168.2 Set/Unset Time Reference CHAT en=182 
718 103.067006 192.168.20.130 192.168.2 Time Shift... Ctrl+Shift+T en=182 
719 103.079392 192.168.20.1 192.168.2 en=182 
Packet Comment... Ctrl+Alt+C 

103.079609 192.168.20.130 192.168.2 enz182 
721 103.086695 192.168.20.132 192.168.2 Edit Resolved Name enz182 
722 103.087313 192.168.20.130 192.168.2 en=182 
723 103.089180 192.168.20.1 —— Apply as Filter en=182 


Frame 714: 224 bytes on wire (1792 bits), 224 bytes captured Prepare a Filter 
Ethernet II, Src: Vmware ff:65:9b (00:0c:29:ff:65:9b), Dst: Conversation Filter 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.1 Colorize Conversation 
User Datagram Protocol, Src Port: 13288, Dst Port: 4000 SCTP 

Data (182 bytes) 


Follow 


Copy 


Show Packet in New Window 


解码 为 RTP 


A Wireshark - Decode As... 


Field Value г Default Current 
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А Normal_Call_two_parties.pcap 
File Edit Мем Go Capture Analyze Statistics Wireless Tools Help 


A Fm © k Х С Q € = = 4 Y VolP Calls 


“ 2 = + om 
GSM 


ae IAX2 Stream Analysis M жер 
.005510 192.168.20. 224  PT-ITU-T 
.018094 192.168.20. БОР Messages 224  PT-ITU-T 
.018467 192.168.20. LTE 224  PT=ITU-T 
.025686 192.168.20. MTP3 224  PT-ITU-T 
.026046 192.168. 20. Osmux 224  PT=ITU-T 
.038299 192.168. 20. 
.038516 192.168.208. RTP 
.045972 192.168.290. SEN 
046522 192.168.29. 222 РТ-ІТ0-Т 


.049044 192.168.20. SMPP Operations 224  PT=ITU-T 


= = UCP Messages 
Frame 714: 224 bytes on wire (1792 bits), 224 T 


Ethernet II, Src: Vmware ff:65:9b (00:0c:29:ff (00:50:56:c0:00:08) 
Internet Protocol Version 4, Src: 192.168.20.1 SIP Flows 

User Datagram Protocol, Src Port: 13288, Dst P SIP Statistics 

Real-Time Transport Protocol WAP-WSP Packet Counter 


.711 PCMU, SSRC=0x3EFBC86D, Seq-27905, Time-7040 
.711 PCMU, SSRC=@x4DCD5225, Seq=16871, Time=7040 
.711 PCMU, SSRC=0x6A41E0F3, Seq-385, Time=7040 
.711 РСМИ, SSRC=0x294823, Seq=15098, Time=7200 
.711 PCMU, SSRC=0x3EFBC86D, Seq-27906, Time=7200 
„711 РСМИ, SSRC=0x4DCD5225, Seq=16872, Time=7200 
.711 PCMU, SSRC=0x6A41E0F3, Seq=386, Time=7200 
.711 РСМИ, SSRC=0x294823, Seq-15099, Time=7360 
.711 PCMU, SSRC=@x3EFBC86D, Seq-27907, Time-7360 
.711 PCMU, SSRC=@x4DCD5225, Seq=16873, Time=7360 


RTP Streams y 


а ауа G Су Су Су Су A СУ 
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分 析 RTP 流 


192.168.20.130:13288 «> A === 
192.168.20.1:4000 | Forward Reverse | Graph | 


^ 


[Packet Sequence Delta (ms) Jitter (ms) Skew Bandwidth Marker Status 
|| 525 27862 0.00 0.00 0.00 1.68 Y 

SSRC Ox3efbc86d 527 27863 3.53 1.03 16.47 3.36 7 

Max Delta 40.57 ms @ 540 
Max Jitter 1.52 ms 545 27866 20.60 0.98 15.30 6.72 
Mean Jitter 0.88 ms 549 27867 19.99 0.91 15.31 8.40 
жал TOERUS 553 27868 20.83 0.91 1449 10.08 


RTP Packets 615 
Expected 616 557 27869 19.74 0.87 14.74 11.76 


Forward 


Lost 1 (0.16 %) 561 27870 20.25 0.83 14.49 13.44 
Seq Errs 1 565 27871 20.00 08 1449 15.12 


Startat 102.1719335 @ 525 | 570 27872 10.97 129 23.51 16.80 
Duration 12255 575 27873 19.61 124 2391 18.48 
edd ddr 579 27874 20.49 1.19 2342 20.16 
Freq Drift 3451 Hz (-56.86 96) 

583 27875 19.54 1.14 23.88 21.84 
Reverse 587 27876 20.37 1.10 23.50 23.52 
591 27877 1971 105 23.79 25.20 
SSRC 0х4аса5225 595 27878 20.37 100 23.42 26.88 
Max Delta 30.43 ms Q 1370 599 27879 19.86 0.95 23.56 28.56 
es ls 603 27880 20.49 0.92 23.06 30.24 
Mean Jitter 0.90 ms 
MS Lo 607 27881 20.59 0.90 2248 31.92 
RTP Packets 617 611 27882 2041 0.87 22.07 33.60 
Expected 617 618 27883 2074 0.86 21.32 35.28 
Lost 0 (0.00 96) 622 27884 19.93 0.81 21.39 36.96 
Sen Ems 0 626 27885 20.33 0.78 21.06 38.64 
EM Ыы о 2886 20.18 0.74 20.88 40.32 
Duration 12.295 
EE RE ае 634 27887 21.32 0.78 19.56 42.00 
Freq Drift 3468 Hz (-56.64 96) 638 27888 20.63 0.77 18.93 43.68 
642 27889 19.52 0.75 19.42 45.36 


Forward to reverse 646 27890 20.61 0.74 18.81 47.04 
start diff -0.014346 s @ -3 


2 streams found. 


SS 
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播放 RTP 流 


Wireshark - RTP Player 


o Jitter Drops 


o Wrong Timestamps 


А Inserted Silence 


112 114 


106 108 110 


SSRC Setup Frame Packets Time Span (s) Sample Rate (Hz) Payloads 


0x00294823 4294967295 616 102 - 114 (12.3) 8000 97110 
Ox6a41e0f3 4294967295 616 102 - 114 (12.3) 8000 g711U 


Source Address Source Port Destination Address Destination Port 


192.168.20.132 4000 192.168.20.130 13408 
192.168.20.130 13408 192.168.20.132 4000 


» B Output Device: Speakers (Realtek High Definition Audio) = 


Jitter Buffer: | 50 - 1 Playback Timing: Jitter Buffer |_| Time of Day 
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TLS 流量 (SIP over TLS) 


А Call to VoiceMail.pcap 
File Edit View Со Capture Analyze Statistics Telephony Wireless Tools Нер 


A ш © i XI О à € » i = o QQ S 


Expression... + torrent cleanup_own_ssid clean 


Ti Source Destination Protocol Length Ta Info 

3.025978 192.168.20. 192.168.20.130 TLSv1 253 Client Hello 

3.031243 192.168.20. 192.168.20.132  TLSv1 1030 Server Hello, Certificate, Certificate Request, Server Hello Done 
3.032252 192.168.20. 192.168.20.130  TLSv1 264 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handsh.. 
3.033610 192.168.20. 192.168.20.132 TLSv1 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 
3.035114 192.168.20. 192.168.20.130  TLSv1 784 Application Data, Application Data 

3.036454 192.168.20. 192.168.20.132 TLSv1 688 Application Data, Application Data 

3.036892 192.168.20. 192.168.20.130  TLSv1 Application Data, Application Data 

3.039477 192.168.20. 192.168.20.132  TLSv1 Application Data, Application Data 

3.089799 192.168.20. 192.168.20.132  TLSv1 Application Data, Application Data, Application Data, Application Data 
3.090170 192.168.20. 192.168.20.130  TLSv1 Application Data, Application Data 

3.130640 192.168.20. 192.168.20.130  TLSv1 Application Data, Application Data 

10.968782 192.168.20. 192.168.20.130 TLSv1 Application Data, Application Data 

10.970517 192.168.20. 192.168.20.132  TLSv1 Application Data, Application Data 

10.970920 192.168.20. 192.168.20.130  TLSv1 Application Data, Application Data 

10.971375 192.168.20. 192.168.20.130 TLSv1 Application Data, Application Data 

10.973943 192.168.20. 192.168.20.132 TLSv1 Application Data, Application Data 

11.075535 192.168.20. 192.168.20.132  TLSv1 Application Data, Application Data 


Frame 9: 253 bytes on wire (2024 bits), 253 bytes captured (2024 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

Transmission Control Protocol, Src Port: 49481, Dst Port: 5061, Seq: 1, Ack: 1, Len: 199 
Secure Sockets Layer 
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AN 
和 人 


А Call to VoiceMail.pcap 
File Edit Мем (бо Capture Analyze Statistics | Telephony Wireless Tools Help 
A m © А SC Q € = "KA == eo e 


N T АУ Source Destination Protocol Length Ta Info 


O. Ime 
9 3.025978 192.168.20.132 .168.20.130 TLSv1 253 Client Hello 

.031243 192.168.20.130 .168.20.132 TLSv1 1030 Server Hello, Certificate, Certificate Request, Server Hello Done 
.032252 192.168.20.132 .168.20.130  TLSv1 264 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handsh.. 
.033610 192.168.20.130 .168.20.132  TLSv1 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 
.035114 192.168.20.132 .168.20.130  TLSv1 784 Application Data, Application Data 
.036454 192.168.20.130 .168.20.132 ТІ5у1 688 Application Data, Application Data 
.036892 192.168.20.132 .168.20.130  TLSv1 1088 Application Data, Application Data 


Frame 12: 264 bytes on wire (2112 bits), 264 bytes captured (2112 bits) 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 
Transmission Control Protocol, Src Port: 49481, Dst Port: 5061, Seq: 200, Ack: 977, Len: 210 
Secure Sockets Layer 
TLSv1 Record Layer: Handshake Protocol: Certificate 
4 TLSv1 Record Layer: Handshake Protocol: Client Key Exchange 
Content Type: Handshake (22) 
Version: TLS 1.0 (0x0301) 
Length: 134 
Handshake Protocol: Client Key Exchange 
Handshake Type: Client Key Exchange (16) 
Length: 130 


TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec 
TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message 
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使 用 RSA 交 换 密 钥 


可 解密 安装 在 Asterisk One ЕНУ FE 
Asterisk One 密 钥 和 证 书 的 位 置 : /etc/asterisk/keys 


必须 从 服务 器 得 天 default.key 


es asterisk asterisk 215 Mar 19 03:59 ca.cfg 


-rw-rw-r--. 1 asterisk asterisk 1789 Mar 19 03:59 ca.crt 
-rw-rw-r--. 1 asterisk asterisk 3311 Mar 19 03:59 са.Ке 


rwxrwxr-x. 2 asterisk asterisk 4096 Mar 19 03:59 inte 


OPentesterAcademy.com 


编辑 > fm» 协议 > SSL 


SMTP Secure Sockets Layer 
SMUX 


SNA 
SNMP SSL debug file 


RSA keys list 


Snort | 
Socks 
SoulSeek 
SoupBinTCP Г | Reassemble SSL Application Data spanning multiple ER 
gc Message Authentication Code (MAC), ignore "mac failed" 
Spice 
SPRT 
SRVLOC (Pre)-Master-Secret log filename 
SSCOP | 
SSDP 
SSH 


«^| Reassemble SSL records spanning multiple TCP segments 


Pre-Shared-Key | 


STANAG 506 
STANAG 506 
StarTeam 
STP 

SIT 

STUN 

SUA 

SV 

SYNC 
SYNCHROPH 
Ѕупегау 


> | 
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ZDlAsteriskER1A M 4R 


IP address Port Protocol o File Password 


C: |Users|Wishant: ta |Roaminq |Wireshark|ss/_ke) 
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А 


Ніе 


4 


No. 


Edit 
H © А 


View Go 


Time 
3.039477 
3.089799 
3.090170 
3.130640 
10.968782 
30 10.970517 
31 10.970920 
32 10.971375 
34 10.973943 
36 11.075535 
39 11.077488 
48 11.117569 
50 11.118325 
2302 33.695049 
2303 33.695785 


17 
19 
20 
22 
28 


Capture 


* 6 


Q 


Analyze 


+ = 


Statistics 


Source 


192: 
192. 
192. 
192; 
192. 
192. 
192. 
192. 
192. 
192: 
192. 
192. 
192. 
192. 
192: 


168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 


t 


20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 


* 


130 
13e 
132 
132 
132 
130 
132 
132 
130 
130 
132 
132 
130 
130 
132 


Telephony Wireless 


Destination 
.168. 
.168. 
.168. 
.168. 
.168. 
.168. 
.168. 
.168. 
.168. 
.168. 
.168.20.130 
.168.20.130 
.168.20.132 
.168.20.132 
.168.20.130 


20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 


132 
132 
130 
130 
130 
132 
130 
130 
132 
132 


Call to VoiceMail.pcap 


Tools Help 


Protocol 
SIP 

SIP 

SIP 

SIP 
SIP/SDP 
SIP 

SIP 
SIP/SDP 
SIP 
SIP/SDP 
SIP 
SIP/SDP 
SIP/SDP 
SIP 

SIP 


Frame 50: 1152 bytes on wire (9216 bits), 1152 bytes captured (9216 bits) 
Ethernet II, Src: Vmware_ab:b1:84 (00:0c:29:ab:b1:84), Dst: Vmware_6f:87:d6 (00:0c:29:6f:87:d6) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.132 
Transmission Control Protocol, Src Port: 5061, Dst Port: 49481, Seq: 5985, Ack: 8868, Len: 1098 


Secure Sockets Layer 


Session Initiation Protocol (200) 


Length 
656 
1370 
928 
512 
1584 
688 
528 
1888 
496 
1184 
512 
1120 
1152 
592 
496 


Ta Info 
Status: 


Request: 


Status: 
Status: 


Request: 


Status: 


Request: 
Request: 


Status: 
Status: 


Request: 
Request: 


Status: 


Request: 


Status: 
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208 OK (1 binding) | 

OPTIONS sip:1111@192.168.20.132:49481;transport=TLS;ob | Requ... 
200 OK | 

200 OK | 

INVITE sip:22220192.168.20.130;transport-tls | 
401 Unauthorized | 

ACK sip:22220192.168.20.130;transport-tls | 

INVITE sip:22220192.168.20.130;transport-tls | 

100 Trying | 

200 OK | 

ACK sip:192.168.20.130:5061;transport-TLS | 

UPDATE sip:192.168.20.130:5061;transport-TLS | 

200 OK | 

BYE sip:1111@192.168.20.132:49481;transport=TLS;ob | 
200 OK | 


= x wi \ 


[> 


^ 


SIP/SDP % 


File Edit Мем Go Capture Analyze Statistics Telephony Wireless Tools Нер 
CECR ER LEES EECHER 


No. Time Source Destination Protocol Length Ta Info 
28 10.968782 192.168.20.132 192.168.20.130  SIP/SDP 1584 Request: INVITE sip:2222@192.168.20.130;transport=tls | 
32 10.971375 192.168.20.132 192.168.20.130  SIP/SDP 1888 Request: INVITE sip:22220192.168.20.130;transport=tls | 
36 11.075535 192.168.20.130 192.168.20.132 5ІР/5рР 1184 Status: 200 OK | 
48 11.117569 | 192.168.20.132 192.168.20.130 5ІР/5рР 1120 Request: UPDATE sip:192.168.20.130:5061;transport-TLS | 
50 11.118325. 192.168.20.132 — SIP/SDP 1152 Status: 200 ОК | 


Frame 50: 1152 bytes on wire (9216 bits), 1152 bytes captured (9216 bits) 
Ethernet II, Src: Vmware ab:b1:84 (00:0c:29:ab:b1:84), Dst: Vmware 6f:87:d6 (00:0c:29:6f:87:d6) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.132 
Transmission Control Protocol, Src Port: 5061, Dst Port: 49481, Seq: 5985, Ack: 8868, Len: 1098 
Secure Sockets Layer 
Session Initiation Protocol (200) 
> Status-Line: SIP/2.0 200 ОК 
‚ Message Header 
Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): e 
Owner/Creator, Session Id (о): - 3730743973 3730743976 ІМ 1Р4 192.168.20.130 
Session Name (s): Asterisk 
Connection Information (c): IN IP4 192.168.20.130 
Time Description, active time (t): Ө Ө 


Media De D lon ame and add 


Media Attribute (a): rtpmap:@ PCMU/8000 
Media Attribute (a): rtpmap:101 telephone-event/8000 
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解密 SRTP 的 开源 工具 


° SRTP Decrypt 


°  Libsrtp 
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解密 SRTP 数 据 包 的 工具 


利用 对 称 密 钥 解密 SRTP 流 量 
以 十 六 进 制 方式 (hexdump) 输 出 解密 包 


Wireshark 可 从 十 六 进 制 文 件 中 复原 RTP 数 据 包 


©PentesterAcademy.com 


GitHub: 


GitHub - gteissier/srtp-c x x 


E 


C а GitHub, Inc. [US] | https //github.com/gteissier/srtp-decrypt 


CH Features Business Explore Marketplace Pricing 


<> Code Pull requests 1 


Deciphers SRTP packets 


Projects 0 


Xp 10 commits D 1 branch 


Branch: master + 


gteissier Increment offset using м 


nitial commit 


nitial import 


nitial import 
Better default offs: 


Increment offset 


t and handle corre 


This repository 


Insights 


O releases 


streams starting with seq 


Sign in ©: Sign up 


Ж Star 17 Y Fork 


42 1 contributor 


12 


Find file Clone or download ~ 


2016 


Latest commit ас50693 on Jan 18, 


Installing libgcrypt 


pentester@PentesterAcademy:-/work/srtp-decrypt$ sudo apt-get install libgcrypt-dev 


sudo: unable to resolve host PentesterAcademy 
Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
Note, selecting 'libgcrypt20-dev' instead of 'libgcrypt-dev' 
The following additional packages will be installed: 
libgcrypt20 libgpg-error-dev 
d packages: 
Sia 


: unable to resolve host PentesterAcademy 
Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
The following additional packages will be installed: 
libpcap0.8-dev 
The following NEW packages will be installed: 
libpcap-dev libpcap0.8-dev 
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Cloning 


root@PentesterAcademy:/work# git clone https://github.com/gteissier/srtp-decrypt.git 


Cloning into 'srtp-decrypt'... 
remote: Counting objects: 35, done. 
remote: Total 35 (delta 0), reused O (delta 0), pack-reused 35 


Unpacking objects: 100% (35/35), done. 


Compiling 


root@PentesterAcademy:/work/srtp-decrypt# make 
сс -g -05 -Wall -C -0 srtp.o srtp.c 


сс -g -05 -Wall -C -0 srtp-decrypt.o srtp-decrypt.c 
сс -0 srtp-decrypt srtp-decrypt.o srtp.o -lpcap -lgcrypt 
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1 
1 
1 
1 
1 
1 
1 
1 
1 


root 
root 
root 
root 
root 
root 
root 
root 
root 


root 
root 
root 
root 
root 
root 
root 
root 
root 


273 
2853144 
945 
22057 
54112 
3917 
26464 
2720 
52096 


Mar 
Mar 
Mar 
Mar 
Mar 
Mar 
Mar 
Mar 
Mar 


17 
17 
17 
17 
17 
17 
17 
17 
17 


05: 
85: 
B5: 
05: 
05: 
05: 
05: 
05: 
85: 


36 
36 
36 
36 
40 
36 
40 
36 
40 
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Makefile 
marseillaise-srtp.pcap 
README .md 

srtp.c 

srtp-decrypt 
srtp-decrypt.c 
srtp-decrypt.o 

srtp.h 

srtp.o 


42 


4 Normal_Call_two_parties.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


£ m © LBE O e =s = ж sEJE] a аа = 
Ll  — ` Ы Шоғы E 
— Expand All Ctrl+Right 


No. Time Source 


Expression... 中 torrent cleanup o 


Length Tag Info 


Collapse All Ctrl Left 
| 188 29.319111 192.168 1051 Status: 200 OK | ` ——— 
| 2312 39.694387 192.168 Apply as Column 461 Request: BYE sip:asterisk@192.168.20.130:5060 | 
| 2313 39.701755 192.168 446 Status: 200 OK | 
| 2317 39.709060 192.168 Apply as Filter 上 487 Request: BYE sip:11110192.168.20.132:60850;ob | 
2318 39.709625 192.168 Prepare a Filter b 406 Status: 200 OK | 

Frame 188: 1051 bytes on wire (8408 bit Conversation Filter + 

Ethernet II, Src: Vmware_ff:65:9b (00:8 Colorize with Filter + |29:6f:87:d6) 

Internet Protocol Version 4, Src: 192.1 Follow + 


User Datagram Protocol, Src Port: 5060, 


4 Session Initiation Protocol (200) All Visible Items Ctrl+Alt+Shift+A 
» Status-Line: SIP/2.@ 200 OK Show Packet Bytes... All Visible Selected Tree Items 
a o anaq Export Packet Bytes... Ctrl+H Description Ctrl+Alt+Shift+D 
5 y : Й 
4 Session Description Protocol Wiki Protocol Page Field Name Ed 
Session Description Protocol Ve Filter Eield Reference 
H AS 
Owmer/creator, Session Id (o): Protocol Preferences г. As Filter Ctrl+Shift+C 
Session Name (s): Asterisk 
Connection Information (c): IN Decode As... Bytes as Hex + ASCII Dump 
Time Description, active time ( Сото Linked Packet a Hex Dump 
. Media Description, name and adc Е B 
Show Linked Packet in New Window i 
Media Attribute (a): crypto:1 СЕЕ 
Media Attribute (a): rtpmap:@ PCMU/8000 as a Hex Stream 
> Media Attribute (а): rtpmap:101 telephone-event/8000 ..as Raw Binary 
> Media Attribute (a): fmtp:101 0-16 ...as Escaped String 


Media Attribute (a): ptime:20 
Media Attribute (a): maxptime:150 
Media Attribute (a): sendrecv 
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4 


File Edit View Со Capture 


á m é @ ҺЕ Q € = 


Analyze Statistics Telephony 


Normal_Call_two_parties.pcap 


Wireless Tools Help 


ғ ® М ааа = 


Time 


196 29.355005 
197 29.372665 
198 29.372952 
199 29.375160 


Source 


192.168.20.130 
192.168.20.1 

192.168.20.130 
192.168.20.132 


Destination Protocol 
SRTP 
SRTP 
SRTP 
SRTP 


192.168.20.1 

192.168.20.130 
192.168.20.132 
192.168.20.130 


+ torrent cleanup own ssid clean 


Info 


PT=ITU-T G.711 РСМИ, SSRC=@x4EFA778B, Seq-4650, Time=320 
PT=ITU-T G.711 PCMU, SSRC-0x399071D5, Seq-25653, Time-640 
PT-ITU-T G.711 PCMU, SSRC-0x60542655, Seq-16570, Time-640 
PT=ITU-T 6.711 PCMU, SSRC=8x15BD2F81, Seq-15577, Time=480 


Frame 195: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 


> User Datagram Protocol, 
. Real-Time Transport Protocol 


OPentesterAcademy.com 


JE: ./srtp-decrypt -k uK«RfjSi9/fUFr8zoJu6ezdqPweMGtONhgX4yqwhR; < ../ 
Normal Call two parties.pcap » decoded.raw 


° A 


Defined SRTP key (该 例 为 uK+RfjSi9/fUFr8zoJu6zdqPw6MGtONhgX4yqwRj) 


SRTPÉE 


* Normal Call two parties.pcap 


*  decoded.raw 


EA 
Z 
名 


: AR 


ZASRTP YL 


输入 文件 
输出 文件 


frame 
frame 
frame 
frame 
frame 
frame 
frame 
frame 
frame 


0 


1 
2 
3 
4 
5 
6 
7 
8 


GtONhgX4yqwRj < . 
dropped: 
dropped: 
dropped: 
dropped: 
dropped: 
dropped: 
dropped: 
dropped: 
: decodin 


decoding 
decoding 
decoding 
decoding 
decoding 
decoding 
decoding 
decoding 


failed 
failed 
failed 
failed 
failed 
failed 
failed 
failed 
failed 


‘Permission 
‘Permission 
‘Permission 
‘Permission 
"Permission 
"Permission 
‘Permission 
‘Permission 
‘Permission 
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root@PentesterAcademy:/work/srtp-decrypt# ./srtp-decrypt -k uK+RfjSi9/fUFr8zoJu6zdqPpw6M 
./Normal Call two parties.pcap > decoded. raw 


denied' 
denied' 
denied' 
denied' 
denied' 
denied' 
denied' 
denied' 
denied' 


SRTPÉRZZ: decoded.raw 


1 p:08.731764 


0000 80 


12 00a0 7e 


"decoded.raw" 


Те ff 


12838 


lines 
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The Wireshark Network Analyzer 
View | Go Capture Analyze Statistics Telephony Wireless Tools Help 


Ctrl+O іа 1 目 目 ааа = 


Ореп Кесепї 


Merge... 


Close dx 


Save Ctrl+S 
Save As... Ctrl+Shift+S — BNLocaNTempNimport 20180320032643 a04600.pcapng (116 KB) 


File Set \voip_trial\SIP+RTP_call_trace_merged.pcap (430 KB) 


\voip_trial\SIP over TLS+RTP_call_trace.pcap (516 KB) 
Export Specified Packets... 


Export Packet Dissections 
Export Packet Bytes... Ctrl+H 


Export PDUs to File... d) 
Export SSL Session Keys... a\Local\Temp\import_20180320015530_a09592.pcapng (123 KB) 


\voip_trial\SIP over TLS+SRTP_call_trace.pcap (672 KB) 


Export Objects \voip_trial\SIP+SRTP_call_trace.pcap (535 KB) 


voip_trial\SIP+SRTP_call_trace.pcapng (not found) 
Print... Ctrl+P 


Quit Ctrl+Q a capture filter ... 
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Wireshark - Import From Hex Dump 


Import From 


Offsets: (€) Hexadecimal 
С) Decimal 
С) Octal 
С) None 


Timestamp format: 


(No format will be applied) 


Direction indication: [ | 
Encapsulation 

Encapsulation Type: Ethernet 
(O) No dummy header 


С) Ethernet Ethertype (hex): 
O IPv4 Protocol (dec): 


С) SCTP Tag: 
© SCP (Data) PPI: 


Maximum frame length: 


OPentesterAcademy.com 


密 的 UDP 数据 包 


import_20180320032955_a10724.pcapng 
Edit i Go Capture Analyze Statistics ` Telephony Wireless Tools Help 


0k nam q e= =+ + Е ааа = 


Destination Protocol 


0.000000 1.1.1.1 222222 UDP 


Lenz172 


0.000001 T2511 272929 UDP 
0.000002 1.1.1. „2252 UDP 
0.000003 ben De 52252 UDP 
0.000004 телее 22-222 UDP 
0.000005 T 222272 UDP 
0.000006 abesse Le 2525222. UDP 


Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 


Frame 1: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 
Ethernet II, Src: Send_00 (20:53:45:4e:44:00), Dst: Receive_00 (20:52:45:43:56:00) 
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2 


Data (172 bytes) 
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^ import 20180320032955 a10724.pcapng 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
á m ⁄4@ а Пяе Q e => = + 5 


и Apply a display filter .… <Ctrl-/> ЕЗ w | Expressid 


No. Destination Protocol Length Tag 


о.о: 1.1.1.1 Mark/Unmark Packet Ctrl+M 214 coger arse 
0.000002 “il Ignore/Unignore Packet Ctrl+D 214 17786 Len=172 
0.000003 22.1: Set/Unset Time Reference Ctrl+T 214 17786 Len=172 
9.ө00004 1. Time Shift... Ctrl+Shift+T 214 17786 Len=172 
9. 000005 Packet Comment... Ctrl+Alt+C 214 17786 Len=172 


0.000006 EES 214 17786 Len=172 


Frame 1: 214 bytes on wire (1712 bits), 214 byte Edit Resolved Name 
Ethernet II, Src: Send 00 (20:53:45:4e:44:00), Г 
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 
User Datagram Protocol, Src Port: 4000, Dst Port Prepare a Filter 
Data (172 bytes) Conversation Filter 
Colorize Conversation 
SCTP 


Follow 


Apply as Filter 


Copy 


Protocol Preferences + 


Show Packet in New Window 
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解码 为 RTP 


4 Wireshark - Decode As... 


Field Value Type Default Current 


UDP port š Integer, base 10 ICQ RTP 
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4 import_20180320032955 a10724.pcapng 
File Edit View Со Capture Analyze Statistics Telephony Wireless Tools Help 


á m á@ y RE БОСКА + | ЕССЕСЕН 


я Apply a display filter ... <Ctrl-/> + torrent  cleanup_ own ssid clean 


Time Source Destination Protocol 


2 0.000001 1.1.1.1 2.2.2.2 RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16568, Time=320 
3 0.000002 1.1.1.1 2.2.2.2 RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16569, Time=480 
4 0.000003 d T1 T 2.2.2.2 RTP PT-ITU-T 6.711 PCMU, SSRC-0x60542655, Seq-16570, Time=640 
5 0.000004 1.1.1.1 2.2.2.2 RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16571, Time=800 
6 0.000005 1.1.1.1 2.2.2.2 RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16572, Time=960 
7 0.000086 1-125171 2-2-2-2 RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16573, Time=1120 


Frame 1: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 

Ethernet II, Src: Send 00 (20:53:45:4e:44:00), Dst: Receive 00 (20:52:45:43:56:00) 
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2 

User Datagram Protocol, Src Port: 4000, Dst Port: 17786 

Real-Time Transport Protocol 


OPentesterAcademy.com 


4 import 20180320032955 a10724.pcapng 
File Edit Мем Go Capture Analyze Statistics | Telephony d Wireless Tools Help 
£ ma @ , ЕС Q € = VolP Calls 


lisi 


Apply a display filter ... «Ctrl-/» um 63 | Giele + torent — deanup own ssid — deam 


GSM = == 
Time Protocol Length Tag Info 


IAX2 Stream Analysis 
ISUP Messages 


2 0.000001 1.1.1.1 RTP PT=ITU-T 6.711 PCMU, SSRC=0x60542655, Seq-16568, Time=320 
з 0.000002 1.1.1.1 LTE RTP PT=ITU-T 6.711 РСМИ, SSRC-0x60542655, Seq=16569, Time=480 
4 0.000003 1.1.1.1 MTP3 RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq-16570, Time=640 
5 0.000004 1.1.1.1 Osmux RTP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq-16571, Time=800 
6 06.000005 1.1.1.1 RTP PT=ITU-T 6.711 РСМИ, SSRC=8x60542655, Seq-16572, Time=960 
7 0.000006 1.1.1.1 RTSP PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16573, Time=1120 


Frame 1: 214 bytes on wire (1712 bits), 214 by SCTP 

Ethernet II, Src: Send_00 (20:53:45:4e:44:00), SMPP Operations 
Internet Protocol Version 4, Src: 1.1.1.1, Dst 
User Datagram Protocol, Src Port: 4000, Dst Po 
Real-Time Transport Protocol 


RTP Streams 
Stream Analysis 


UCP Messages 

H.225 

SIP Flows 

SIP Statistics 

WAP-WSP Packet Counter 


OPentesterAcademy.com 


ЅАТРЕ Е 


4 Wireshark - RTP Stream Analysis - import 20180320032955 а10724 


1.1.1.1:4000 => 
2.2.2.2:17786 


Forward | Reverse | Graph | 


Acket Sequence Delta (ms) Jitter (ms) Skew Bandwidth Marker Status 

520 17086 0.00 20.00 10379.48 832.00 
SSRC 0x60542655 519 17085 0.00 20.00 10359.48 830.40 
Max Delta 0.00 ms @ 11 518 17084 0.00 20.00 10339.48 828.80 
Max Jitter 20.00 ms 517 17083 0.00 20.00 10319.48 827.20 
Mean Jitter 19.96 ms 516 17082 0.00 20.00 10299.49 825.60 
аа 515 17081 0.00 20.00 1027949 824.00 
ВТР Packets 520 
Expected 520 514 17080 0.00 20.00 10259.49 822.40 
Lost 0 (0.00 %) 513 17079 0.00 20.00 1023949 820.80 
Seq Errs 0 512 17078 0.00 20.00 10219.49 819.20 
Start at ^ 0.000000s @ 1 511 17077 0.00 20.00 10199.49 817.60 
Duration 0.005 510 17076 0.00 20.00 10179.49 816.00 
IO DETIENE 509 17075 0.00 20.00 1015949 81440 
Freq Drift 160000000 Hz (1999900.00 %) 

508 17074 0.00 20.00 10139.49 812.80 

Reverse. 507 17073 0.00 20.00 10119.49 811.20 
506 17072 0.00 20.00 10099.50 809.60 
SSRC 0x00000000 505 17071 0.00 20.00 10079.50 808.00 
Max Delta 0.00 ms @ 0 504 17070 0.00 20.00 10059.50 806.40 
—€— 503 17069 0.00 20.00 10039.50 804.80 
Mean Jitter 0.00 ms 
Me des DUUM 502 17068 0.00 20.00 10019.50 803.20 
RTP Packets 0 501 17067 0.00 20.00 9999.50 801.60 
Expected 1 500 17066 0.00 20.00 9979.50 800.00 
Lost 1 (100.00 96) 499 17065 0.00 20.00 9959.50 798.40 
Seq Еге 0 498 17064 0.00 20.00 9939.50 796.80 
SEN 497 17063 0.00 20.00 991950 79520 
Duration 0.00 s 
Cock DAR 0 ins 496 17062 0.00 20.00 9899.50 793.60 
Freq Drift — 1 Hz (0.00 96) 495 17061 0.00 20.00 9879.51 792.00 
494 17060 0.00 20.00 9859.51 790.40 
493 17059 0.00 20.00 9839.51 788.80 


Forward 


< 


(555555 5555 NN US 


| Close D Play Streams | Help 
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Wireshark - RTP Player 


Jitter Drops 
Wrong Timestamps 


Inserted Silence 


-0.069 -0.066 -0.063 -0.06 -0.057 -0.054 -0.051 


Source Address Source Port Destination Address Destination Port SSRC Setup Frame Packets Time Span (s) Sample Rate (Hz) Payloads 
1.1.1.1 4000 2.2.2.2 17786 0x60542655 4294967295 520 0 - 0.000519 (0.000519) 8000 g/11U 


» | Bm Output Device: Speakers (Realtek High Definition Audio) = 


Jitter Buffer: 50 + Playback Timing: Jitter Buffer [ | Time of Day 
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Š 实时 传输 协议 (SRTP) 的 具体 实现 


° 可 解密 SRTP 数 据 包 
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Libsrtp 


e GitHub: 


- <A DIS 


< C а GitHub, Inc. [US] | https://github.com/cisco/libsrtp 


С) del "des Business Explore Marketplace Pricing This repository Sign іп ` Sign up 


/ O Watch 75 Ж Star 386 Y Fork 198 


<> Code Issues 12 Pull requests 2 Insights 


Library for SRTP (Secure Realtime Transport Protocol) 


Хр 1,039 commits D 8 branches O 16 releases 44 48 contributors 


Branch: master v Find file Clone or download ~ 


pabuhler Merge pull requi rom pa add to-global-variables -- atest commit 1447dfb 13 days ago 


format in sr 


railer length 


`~ 


Libsrtp: Z3 


* Cloning 


root@PentesterAcademy:/work# git clone https://github.com/cisco/libsrtp.git 
Cloning into 'libsrtp'... 

remote: Counting objects: 6495, done. 

remote: Total 6495 (delta 0), reused O (delta 0), pack-reused 6495 


Receiving objects: 100% (6495/6495), 5.28 MiB | 126.00 KiB/s, done. 
Resolving deltas: 100% (4442/4442), done. 
root@PentesterAcademy:/work# cd libsrtp/ 


OPentesterAcademy.com 


`~ 


Libsrtp: Z3 


e Configure 


root@PentesterAcademy:/work/libsrtp# ./configure 
for gcc... gcc 
whether the C compiler works... yes 
for C compiler default output file name... a.out 
for suffix of executables... 
whether we are cross compiling... no 
for suffix of object files... o 
whether we are using the GNU C compiler... yes 
whether gcc accepts -g... yes 
for gcc option to accept ISO C89... none needed 
how to run the C preprocessor... gcc -E 
for ar... ar 
the archiver (ar) interface... ar 
for ranlib... ranlib 
for a BSD-compatible install... /usr/bin/install -c 
for a sed that does not truncate output... /bin/sed 
for that handles long lines and -e... 
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`~ 


Libsrtp: Z3 


° Make 


root@PentesterAcademy:/work/libsrtp# make 

gcc -DHAVE CONFIG H -Icrypto/include -1./include -I./crypto/include -fPIC 
oll-loops -c srtp/srtp.c -0 srtp/srtp.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c srtp/ekt.c -o srtp/ekt.o 

gcc -DHAVE CONFIG H -Icrypto/include -1./include -I./crypto/include -fPIC 
oll-loops -c crypto/cipher/cipher.c -o crypto/cipher/cipher.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/cipher/null_cipher.c -o crypto/cipher/null_cipher.o 
gcc -DHAVE CONFIG H -Icrypto/include -1./include -I./crypto/include -fPIC 
oll-loops -c crypto/cipher/aes icm.c -o crypto/cipher/aes icm.o 

gcc -DHAVE CONFIG H -Icrypto/include -1./include -I./crypto/include -fPIC 
oll-loops -c crypto/cipher/aes.c -o crypto/cipher/aes.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/hash/null auth.c -o crypto/hash/null_auth.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/hash/auth.c -o crypto/hash/auth.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/hash/hmac.c -o crypto/hash/hmac.o 
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Libsrtp: 准备 完成 


root@PentesterAcademy:/work/libsrtp/test# ./rtp decoder -h 
Using libsrtp2 2.2.0-pre [0x2020000] 
./rtp decoder [-d <debug>]* [[-k][-b] «key» [-a][-e]] 
./rtp decoder -1 


use message authentication 

«key size» use encryption (use 128 or 256 for key size) 
Use AES-GCM mode (must be used with -e) 

«tag size» Tag size to use (in GCM mode use 8 or 16) 
«key» sets the srtp master key given in hexadecimal 
«key» sets the srtp master key given in base64 

list debug modules 

"«pcap filter>" to filter only the desired SRTP packets 
«debug» turn on debugging for module «debug» 
"«srtp-crypto-suite»" to set both key and tag size based 
on RFC4568-style crypto suite specification 
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Libsrtp: SRTPZZ s 


^ Normal Call two parties.pcap 
File Edit Мем Go Capture Analyze Statistics Telephony Wireless Tools | Help 


A m ei иа Q € = 


(FES) een. +. 


Time Source Destination Protocol Length Ta Info 
128 27.128753 192.168.20.132 192.168.20.130 SIP/SDP 278 Request: INVITE sip:2222@192.168.20.130 | 
131 27.301506 192.168.20.130 192.168.20.1 SIP/SDP 1174 Request: INVITE sip:2222(0192.168.20.1:60168;0b | 
173 29.293203 192.168.20.130 SIP/SDP 1101 Status: 200 ОК | 
178 29.314263 192.168.20.130 192.168.20.132 SIP/SDP 1131 Status: 200 OK | 


Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 60168, Dst Port: 5060 
4 Session Initiation Protocol (200) 
Status-Line: SIP/2.0 200 OK 
Message Header 
4 Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): 6 
Owner/Creator, Session Id (о): - 3730471310 3730471311 IN IP4 192.168.5. 
Session Name (s): pjmedia 
Bandwidth Information (b): AS:84 
Time Description, active time (t): 0 Ө 
Session Attribute (a): X-nat:0 
Media Description, name and address (m): audio 4000 RTP/SAVP e 101 
Connection Information (c): IN ІР4 192.168.5.114 
Bandwidth Information (b): TIAS:64000 
Media Attribute (a): rtcp:4001 IN ІР4 192.168.5.114 
Media Attribute (a): sendrecv 
Media Attribute (a): rtpmap:@ PCMU/8000 
Media Attribute (a): rtpmap:101 telephone-event/8000 
Media Attribute (a): fmtp:101 0-16 
Media Attribute (a): ssrc:965767637 cname:66bf37b000942b74 
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Libsrtp: 复制 SRTP 


File Edit View Go Capture Analyze Statistics 


AmAGRNROR es Er + БЕ ааа = 


Telephony Wireless Tools Нер 


Expression... = torrent 


Cleanup_own_: 


Time Source Destination Protocol Length Ta Info 


128 27.128753 
131 27.301506 


192.168.20.132 
192.168.206.130 


192.168.20.130 
192.168.20.1 


SIP/SDP 
SIP/SDP 


278 
1174 


Request: INVITE sip:2222@192.168.20.130 | 
Request: INVITE 51р:22220192.168.20.1:60168;0Ь | 


173 29.293203 


192.168.20.1 


192.168.20.130 


SIP/SDP 


1101 


Status: 200 OK | 


Shift+Right 
Ctrl «Right 
Ctrl Left 


Expand Subtrees 
Expand All 
Collapse All 


178 29.314263 192.168.20.130 192.168.20.132 


Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 60168, Dst Port: 5060 
4 Session Initiation Protocol (200) 
Status-Line: SIP/2.0 200 OK 
Message Header 
4 Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): 0 
> Owner/Creator, Session Id (о): - 3730471310 3730471311 IN IP4 192.168.5.114 
Session Name (s): pjmedia 
Bandwidth Information (b): AS:84 
Time Description, active time (t): 0 6 


SIP/SDP 1131 Status: 200 OK | 


Apply as Column 


Apply as Filter 
Prepare a Filter 
Conversation Filter 
Colorize with Filter 


Follow 


All Visible Items Ctrl Alt* Shift «A 


Session Attribute (a): X-nat:e 


Media Description, name and address (m): audio 4000 RTP/SAVP 
Connection Information (c): IN ІР4 192.168.5.114 
Bandwidth Information (b): TIAS:64000 


Media Attribute 
Media Attribute 
Attribute 
Attribute 
Attribute 
Attribute 
Attribute 


(a): 
(a): 
(a): 
(a): 
(a): 
(a): 


rtcp:4001 IN IP4 192.168.5.114 

sendrecv 

rtpmap:@ PCMU/8000 

rtpmap:101 telephone-event/8000 
fmtp:101 0-16 

ssrc:965767637 cname:66bf37b000942b74 
crypto:1 AES CM 128 HMAC SHA1 80 inline: 


All Visible Selected Tree Items 
Ctrl - Alt*Shift« D 
Ctrl+Alt+ Shift F 


Description 
Field Name 


As Filter Ctrl «Shift C 


Bytes as Hex + ASCII Dump 
..as Hex Dump 

..as Printable Text 

..as a Hex Stream 


OPentesterAcademy.com 


Show Packet Bytes... 


Export Packet Bytes... Ctrl+H 


Wiki Protocol Page 
Filter Field Reference 


Protocol Preferences 


Decode As... 
Go to Linked Packet 
Show Linked Packet in New Window 


Libsrtp: TEP — RIA 


File Edit View | Go Capture 


влева EE a a a F 


Analyze 


Statistics 


Telephony 


Wireless 


Tools 


Help 


Time 
128 27.128753 
131 27.301506 


Source 
192.168.20.132 
192.168.20.130 


Destination 
192.168.20.130 
192.168.20.1 


Protocol 
SIP/SDP 
SIP/SDP 


173 29.293203 


192.168.20.1 


192.168.20.130 


SIP/SDP 


178 29.314263 


192.168.20.130 


192.168.20.132 


SIP/SDP 


Expand Subtrees 
Expand All 
Collapse All 


Apply as Column 


Prepare a Filter 
Conversation Filter 


Colorize with Filter 


Shift+Right 
Ctrl Right 
Ctrl Left 


4 Expression... + 


Not selecte 
..and Selected 
...or Selected 


torrent 


..and not Selected 
...or not Selected 


4 Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 Follow 
0100 .... - Version: 4 
. 0101 - Header Length: 20 bytes (5) Copy 
Differentiated Services Field: 0x00 (DSCP: CSO, ECN: Not-ECT) Show Packet Bytes... 
Total Length: 1087 Export Packet Bytes... Ctrl+H 
Identification: 0x14d4 (5332) 
Flags: 0x00 
Fragment offset: 6 
Time to live: 128 
Protocol: UDP (17) 
Header checksum: 0x7806 [validation disabled] 


— checksum status: Unverified] 


Destination: 192.168.20.130 

[Source GeoIP: Unknown] 

[Destination GeoIP: Unknown] 
> User Datagram Protocol, Src Port: 60168, Dst Port: 5060 
4 Session Initiation Protocol (200) 

Status-Line: SIP/2.@ 200 OK 


Wiki Protocol Page 
Filter Field Reference 


Protocol Preferences 


Decode As... 
Go to Linked Packet 
Show Linked Packet in New Window 
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Libsrtp: 过 滤 蛙 一 RTP 流 


4 Normal_Call_two_parties.pcap 
File Edit Мем Go Capture Analyze Statistics Telephony Wireless Tools Help 


No. Time ^' Source Destination Protocol Length Ta Info A 


177 29.311833 192.168. 26. .711 PCMU, SSRC=0x399071D5, Seq=25650, Time=160, Mark 
189 29.332471 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25651, Time=320 
193 29.352961 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq=25652, Time=480 
197 29.372665 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25653, Time=640 
204 29.393539 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq-25654, Time=800 
208 29.413260 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq-25655, Time=960 
212 29.434077 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25656, Time-1120 
216 29.453993 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq=25657, Time-1280 
220 29.474710 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25658, Time=1440 
225 29.494627 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25659, Time-1600 
230 29.515344 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq-25660, Time=1760 
234 29.535085 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25661, Time-1920 
238 29.555804 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25662, Time-2080 
242 29.575801 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25663, Time-2240 
247 29.596513 192.168.20. .711 PCMU, SSRC-0x399071D5, Seq-25664, Time=2400 
251 29.616324 192.168.20. .711 PCMU, SSRC=0x399071D5, Seq=25665, Time=2560 
255 29.636923 192.168.20. 192.168.20.130 SRTP 224 PT-ITU-T G.711 PCMU, SSRC=0x399071D5, Seq-25666, Time=2720 
260 29.657564 192.168.20. 192.168.20.130 SRTP 224 PT-ITU-T G.711 РСМИ, SSRC=0x399071D5, Seq=25667, Time-2880 


Frame 177: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 16450 

Real-Time Transport Protocol 


192.168.20.130  SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130  SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 
192.168.20.130 SRTP 224 PT=ITU-T 


1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 


0000000000000 су су су 00 


P 
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Libsrtp: 


4 Normal_Call_two_parties.pcap 


File | Edit Мем Со Capture Analyze Statistics Telephony Wireless Tools Help 


Open Ctrl+O Ф + 


Open Recent 


Merge... 
Ta Info 


PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 


Protocol 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 
SRTP 


Destination 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 

ста .20. 192.168.20.130  SRTP 
er 168.20. 192.168.20.130 ЅАТР 


Frame 177: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

Ethernet II, Src: Vmware_c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 16450 

Real-Time Transport Protocol 


Length 


224 
224 


Import from Hex Dump... 
2205 


.20. 
.20. 
.20. 
.20. 
20. 
.20. 
.20. 
.20. 
.20. 
.20. 


168.20. 
Export SSL Session Keys... 20 


.130 
.130 
.130 
.130 
.130 
.130 
.130 
.130 
.130 
.130 
.130 
.130 
.130 
.130 
.130 
.130 


Close Ctrl+W 


Save Ctrl+S 


Save As... Ctrl+Shift+S 


File Set 


Export Packet Bytes... 
Export PDUs to File... 


Export Objects .20 


.20. 


Print... 229. 


1 
1 
1 
d 
1 
d 
1 
d 
1 
1 
1 
1 
od 
od 
d 
Я 
1 


Quit 


к 
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DA 0000000000000 0 00 


PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 


NE 


Expression... 十 


SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 
SSRC-0x399071D5, 


Seg=25650, 
Seg=25651, 
Seg=25652, 
Seg=25653, 
Seg=25654, 
Seq=25655, 
Seq-25656, 
Seq-25657, 
Seq=25658, 
Seq=25659, 
Seq-25660, 
Seq=25661, 
Seq=25662, 
Seq=25663, 
Seq=25664, 
Seq=25665, 
Seq=25666, 
Seq=25667, 


torrent 


Time=160, Mark 
Time=320 
Time=480 
Time=640 
Тіте-800 
Тіте-960 
Тіте-1120 
Time=1280 
Time=1440 
Time=1600 
Time=1760 
Time=1920 
Time=2080 
Time=2240 
Time=2400 
Time=2560 
Time=2720 
Time=2880 


cleanup_own_ssid 


Libsrtp: ТЕ 


Savein | SIP + SRTP 


Name 


[ Call_to_VoiceMail.pcap 


D E Conference_Call_three_parties.pcap 


ЕН Normal Call two parties.pcap 


Wireshark/tcpdump.... - pcap (*.dmp.gz;*.dmp;*.c v | 


[ ]Compress with gzip 
Packet Range 


С) Captured 


(@) All packets 
(O) Selected packet 
Marked packets 


First to last marked 


(O) Range: | 


Remove Ignored packets 
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Libsrtp: JE Ф 


e (гір decoder -a -t 10 -e 128 -b 2stvabBcXXf3HtaHCSsB8WACeRBst9f7lIwLqlzqE * < ./ 
Normal Call two parties Exported RTP.pcap 


* а 使 用 消息 验证 


° + 认证 标签 大 小 (80 位 ， 即 10 字 节 ) 
• е 加 密 密 钥 的 长 度 ， 该 例 使 用 AES_CM_128_HMAC 5НА1 80 


密 角 长度 是 128 位 
° b ASCIMS XL BSSRTP ZZ £H 
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Libsrtp: 142410 


root@PentesterAcademy:/work/libsrtp/test# ./rtp decoder -a -t 10 -e 128 -b 2stvabBcXXf3HtaHCSsB8WACeRBst9f7lwLqlzqE * < ../../Normal Call two part 
ies Exported RTP.pcap 

Using libsrtp2 2.2.0-pre [0x2020000] 

security services: confidentiality message authentication 


32 00 00 a0 39 
ff 7e 7e 7e fe 
f6 73 f2 f2 76 
27 29 2c 3a 3f 
a6 a3 9f 9e 9d 
97 97 97 97 98 
aa ac af c2 ce 
2c 29 27 27 27 
2d 2c 2b 
2f 47 4e 

b3 ae 


40 39 
a8 a6 
a6 a7 
c9 d7 
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Libsrtp: text2pcap 的 帮助 信息 


root@PentesterAcademy:-# text2pcap 
Must specify input and output а 
| 


Usage: text2pcap [options] <infile> <outfile> 


here <infile> specifies input filename (use - for standard input) 
<outfile> specifies output filename (use - for standard output) 


Input: 
-0 hex|oct|dec 


-t <timefmt> 


parse offsets as (h)ex, (o)ctal or (d)ecimal; 

default is hex. 

treat the text before the packet as a date/time code; 
the specified argument is a format string of the sort 
supported by strptime. 

Example: The time "10:15:14.5476" has the format code 
"%Н:%М:%5." 

NOTE: Тһе subsecond component delimiter, '.', must be 
given, but no pattern is required; the remaining 
number is assumed to be fractions of a second. 

NOTE: Date/time fields from the current date/time are 
used as the default for unspecified fields. 

the text before the packet starts with an I or an 0, 
indicating that the packet is inbound or outbound. 
This is only stored if the output format is PCAP-NG. 
enable ASCII text dump identification. 

The start of the ASCII text dump can be identified 
and excluded from the packet data, even if it looks 
like a HEX dump. 

NOTE: Do not enable it if the input file does not 
contain the ASCII text dump. 


Libsrtp: text2pcap 


e text2pcap -t "%M:%S." -u 10000,10000 - -> ./Normal Call two parties Decrypted.pcap 
° +t 将 数据 包 前 的 文本 视 为 日 期 和 时 间 


° %M:%S 时 间 格 式 
° u 使 用 既定 的 源 、 目 的 端口 预先 设置 UDP 数据 包头 部 
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root@PentesterAcademy:/work/libsrtp/test# ./rtp decoder a -t 10 -e 128 -b 2stvabBcXXf3Ht 


aHCSsB8WACeRBst9f7lwLqlzqE * < ./Normal Call two parties Exported RTP.pcap | text2pcap 
"t "sM;%S." -u 10000,10000 - - > j/Normal-Call^two-parties Decrypted.pcàp ` 


Input from: Standard input 

Output to: Standard output 

Output format: PCAP 

Generate dummy Ethernet header: Protocol: 0x800 


Generate dummy IP header: Protocol: 17 
Generate dummy UDP header: Source port: 10000. Dest port: 10000 
Using libsrtp2 2.2.0-pre [0x2020000] 

i : confidentiality message authentication 


set master key/salt 
Starting decoder 


packet 
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File Edit View Со Capture Analyze Statistics Telephony Wireless Tools Нер 
£ m AOLE Si R e = = + 


м Apply a display filter ... <Ctrl-/> 


Time Destination Ta Info 
0.000000 : 19-2720 214 10000 
0.020638 = 10725272 10000 
0.041128 : 10:2:2-2 10000 
0.060832 : 1025272 10000 
0.081706 5 10:22:22 10000 
0.101427 - 102,22 10000 
0.122244 : 10:22272 10000 
0.142160 = 10:272:2 10000 
0.162877 : 10727272 10000 
0.182794 - 10:2-272 10000 
0.203511 - 10-22222 10000 
0.223252 : 1072-22 10000 
0.243971 : 10222222 10000 
0.263968 5 10:22:22 10000 
0.284680 š 10522222 10000 
0.304491 А 10222272 10000 
0.325090 5 10:2:2:2 10000 
0.345731 5 10:222:2 10000 


Frame 1: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 

Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 0a:02:02:02:02:02 (0a:02:02:02:02:02) 
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2 

User Datagram Protocol, Src Port: 10000, Dst Port: 10000 

Data (172 bytes) 


Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 


T 
2 
3 
4 
5 
6 
7 
8 
9 


e e 
Ro 


P ы к ы H 
NOU Bw 


Y V YV YV Y y Y Y y Y y y y Y y y yy 


= 
00 
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Libsrtp: ЯЛЫ 


Capture Analyze Statistics Telephony Wireless Tools Help 


+ БЕ ааа = 


Source Destination Protocol Length Ta Info 
kk Jo 2 2-2 UDP 214 10000 > 10000 Len=172 
0.020638 TOTAL 1002222 UDP 214 10000 > 10000 Len-172 
0.041128 Ter rr 10727272 ———-—Ame 一 _214 . 10000 > 10000 Len=172 
0.060832 To 1 11 19: 2:22 Mark/Unmark Packet Ctrl+M Len=172 
- 081706 1J@.1.1.1 19.2.2.2 Ignore/Unignore Packet Ctrl+D Len=172 
.101427 талл 10-2272 Set/Unset Time Reference Ctrl+T Len=172 
.122244 3@ 1 1 1 10:222 Time Shift... Ctrl+Shift+T Len=172 
.142160 Е ЕТ 10-222 — — Ctrl+Alt+C Len=172 
.162877 1@ 4 1.1 10. 


52:22 Len=172 
.182794 10-1-1-1 10:2-2-2 == Len=172 
.203511 20.1-1-1 10. 


5222 Len=172 
2223252 20233171 10-2722 Apply as Filter Len=172 
.243971 190.1.1.1 10. 


-2.2 Prepare a Filter Len=172 
. 263968 10-1-1-1 10-2-2-2 сене Len=172 
.284680 Le ke 10. 


.2.2 | | Len=172 
Colorize Conversation 

.304491 10.1.1.1 10.2.2.2 Len=172 

.325090 10.1.1.1 10.2.2.2 9 Len=172 

„345731 1@. 


18 1.1 10.2.2.2 Follow Len=172 


Frame 3: 214 bytes on wire (1712 bits), 214 bytes captured (1 
Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2 | Protocol Preferences 
User Datagram Protocol, Src Port: 10000, Dst Port: 16666 | 
Data (172 bytes) 


© © JO um Ь WN P 


= 
© 


юрю кы ы ы 
о um Ь UN 
NNN N мю N мю мю мю N м 


e 
e 
e 
e 
e 
e 
11 e 
e 
e 
e 
e 
e 
e 


BP PP к PFPP р р P P ы 


P 
` 


© 
к 


Сору 


Show Packet іп New Window 
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Libsrtp: ЕЗ ЖАТР 


©Pentester. Academy.com 


Libsrtp: 解码 后 的 RTP 沈 星 


^ Normal Call two parties Decrypted.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


4 E © А x E H € e e€ LEE & a e SE 
Expression... + torrent ` cleanup own d 


Time Destination Length Ta Info 

.000000 10:272 PT=ITU-T 
.020638 10. PT=ITU-T 
.041128 10. PT=ITU-T 
.060832 10. PT=ITU-T 
.081706 10. PT=ITU-T 
.101427 10. PT=ITU-T 
.122244 10. PT=ITU-T 
.142160 10. PT=ITU-T 
.162877 10. PT=ITU-T 
.182794 10. PT=ITU-T 
.203511 10. PT=ITU-T 
.223252 10. PT=ITU-T 
.243971 10. PT=ITU-T 
. 263968 10. PT=ITU-T 
.284680 10. PT=ITU-T 
.304491 10. PT=ITU-T 
.325090 10. PT=ITU-T 
.345731 10. PT=ITU-T 


Frame 3: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 

Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 0a:02:02:02:02:02 (0a:02:02:02:02:02) 
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2 

User Datagram Protocol, Src Port: 10000, Dst Port: 10000 

Real-Time Transport Protocol 


N 


, SSRC-0x399071D5, Seq-25650, Time=160, Mark 
, SSRC-0x399071D5, Seq=25651, Time=320 
, SSRC-0x399071D5, Seq=25652, Time=480 
, SSRC-0x399071D5, Seq=25653, Time=640 
, SSRC-0x399071D5, Seq=25654, Time=800 
, SSRC-0x399071D5, Seq=25655, Time=960 
, SSRC-0x399071D5, Seq=25656, Time=1120 
, SSRC-0x399071D5, Seq=25657, Time=1280 
, SSRC-0x399071D5, Seq=25658, Time=1440 
, SSRC-0x399071D5, Seq=25659, Time-1600 
, SSRC-0x399071D5, Seq=25660, Time=1760 
, SSRC-0x399071D5, Seq=25661, Time=1920 
, SSRC-0x399071D5, Seq=25662, Time=2080 
, SSRC-0x399071D5, Seq-25663, Time-2240 
, SSRC-0x399071D5, Seq-25664, Time-2400 
, SSRC-0x399071D5, Seq-25665, Time-2560 
, SSRC-0x399071D5, Seq-25666, Time-2720 
, SSRC=0x399071D5, Seq-25667, Time-2880 


T 
2 
2 
4 
5 
6 
J 
8 
9 


H pò pà pa ы ы 
wm p ON P © 


к 
о 
OQ o o o o o o o o o o o o o Фф oO © 


H|P P HP HP ы HP ы HP H PP PP HB P P. PAI Pp 

ье HP HM ы Hm HB HB H ы HB PP P p P| p ы 
E HP HP RP B B IB iH HB B ы dH ы kä ы ы ы 

ю NN N N° N° N° N N° № N° N° м DN NIN 


N 
N N N N N N N N N N N N N N N N| N 


N N N N N N N N N N N N N N N NI N N 


к 
ч 
Oc Су GO Go OG DADA DA AA ADA 0 


к 
со 
o 
к 
к 
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Libsrtp: 4 TTRTP int 


Normal Call two parties Decrypted.pcap 


Tools 


А 


File Edit Мем Go Capture Analyze Statistics Wireless Help 


А Е © | à 


Time 

.000000 
.020638 
.041128 
.060832 
.081706 
.101427 
.122244 
.142160 
.162877 
.182794 
. 203511 
„223252 
‚243971 
‚263968 
.284680 
. 304491 
.325090 
.345731 


oon anu sun P 


юе кы ы ы ы ы H 
солы UN hh © 


0 
0 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 


к 
m 


18 


© 


RER < 


к 
к 


HP H P P HP HP HP HP HP PPP HP HP PP 
H|P H HP HP H HP H H рэ рз рз P. P. P. Pili ы 


A kä ы fd fd Pa ы ы ы ы ы ы ы ы ы ы ы 


4 9 


Telephony 


VolP Calls 

ANSI 

GSM 

IAX2 Stream Analysis 
ISUP Messages 

LTE 

MTP3 


RTSP 

SCTP 

SMPP Operations 

UCP Messages 

H.225 

SIP Flows 

SIP Statistics 

WAP-WSP Packet Counter 


Length 
214 
214 
214 
214 
214 


214 
214 
214 
214 
214 
214 
214 
214 


cw 
10.2.2.2 
10.2.2.2 


қалан 
ЕТР 
RTP 


Frame 3: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 
Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 0a:02:02:02:02:02 (0a:02:02:02:02:02) 
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2 
User Datagram Protocol, Src Port: 10000, Dst Port: 10000 
Real-Time Transport Protocol 


214 
214 


Ta Info 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 


PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 


OPentesterAcademy.com 


G С› Су Су Су Су GQ GQ Су Су Су GQ nnn AA 0 


„711. 
.711 
.711 
711 
„711. 
.711 
./11 
.711 
2/31 
e 711 
.711 
„714, 
„711% 
‚711 
. 711 
.711 
1321 
.711 


PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 


SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
55КС-Өх39907105, 
SSRC=0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
55КС-Өх39907105, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 


Seg=25650, 
Seq=25651, 
Seq=25652, 
Seq=25653, 
Seg=25654, 
Seg=25655, 
Seq-25656, 
Seq=25657, 
Seq=25658, 
Seq=25659, 
Seq-25660, 
Seqz25661, 
Seq=25662, 
Seq=25663, 
Seq=25664, 
Seq=25665, 
Seq=25666, 
Seq-25667, 


v | Expression... + torrent аеапир own ssi 


Time=160, Mark 


Time=320 

Time-480 

Time-640 

Time-800 

Time-960 

Time-1120 
Time-1280 
Time-1440 
Time-1600 
Time-1760 
Time-1920 
Time-2080 
Time-2240 
Time-2400 
Time-2560 
Time-2720 
Time-2880 


Libsrtp: DATRTPAR 


d 


10.1.1.1:10000 ++ Forward | Reverse | Graph 


10.2.2.2:10000 


INeket Sequence Delta (ms) Jitter (ms) Skew Bandwidth Marker Status 
520 26169 19.59 0.82 -183 81.60 J 
SSRC 0х39907145 519 26168 20.50 0.84 -224 81.60 
Max Delta 31.03 ms @ 220 518 26167 20.60 087 -174 81.60 
Max Jitter 2.25 ms 517 26166 20.50 0.9 -114 81.60 
os Geer 516 26165 19.67 0.91 -0.63 81.60 

x EW H ms 

desee Сз 515 26164 20.45 0.95 -0.96 81.60 
Expected 520 514 26163 20.71 0.98 -0.50 81.60 
Lost 0 (0.00 %) 513 26162 20.51 100 021 81.60 
SeqErrs 0 512 26161 19.25 103 071 81.60 
Start at 0.000000 s Q 1 511 26160 20.34 105 -004 81.60 
Duration 10.38 s 510 26159 20.64 110 031 81.60 
ae 509 26158 10.07 113 0.95 81.60 
Freq Drift 8000 Hz (0.00 96) 

508 26157 20.54 0.54 -8.99 80.00 
Reverse 507 26156 20.45 0.54 -845 80.00 
506 26155 20.31 0.55 -8.00 80.00 
SSRC 0x00000000 505 26154 20.57 0.57 -7.69 80.00 
> Eis ee ms@0 504 26153 20.48 057 -7.12 80.00 

X d ms 

NU. 503 26152 19.65 0.57 -6.64 80.00 
uon те 502 26151 20.49 0.59 -6.99 80.00 
RTP Packets 0 501 26150 2044 0.59 -6.50 80.00 
Expected 1 500 26149 20.50 0.60 -6.05 80.00 
Lost 1 (100.00 96) 499 26148 20.52 0.61 -5.55 80.00 
Ѕед Errs 0 498 26147 19.61 0.62 -5.03 80.00 
ae de 497 26146 20.60 063 -5.42 80.00 
Duration 0.00 s 
usce Qusa 496 26145 20.37 0.63 -482 80.00 
Freq Drift — 1 Hz (0.00 %) 495 26144 20.54 0.65 -4.45 80.00 
494 26143 20.46 0.66 -3.91 80.00 
493 26142 19.58 0.67 -345 81.60 


Forward 


S 55% 0% Жу Чу ы 57% E e e SS 
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Libsrtp: 播放 解密 


0 1.5 4.5 6 7.5 9 


Source Address Source Port Destination Address Destination Port  SSRC Setup Frame Packets Time Span (s) Sample Rate (Hz) Payloads 
10.1.1.1 10000 10.2.2.2 10000 0x399071d5 4294967295 520 0-10.4(104) 8000 47110 


> в Output Device: Speakers (Realtek High Definition Audio) = 


Jitter Buffer: 50 $] Playback Timing: Jitter Buffer [C] Time of Day 
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e DIMF 


。 短 消息 (SMS) 


dE 


RIPDIMF 


А DTMF_Lab_1_SIP+RTP_1_to_9.pcap 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


Am @ k l 6 S eve SEIS Aaa 


Expression... + torment cleanup own ssid ` cleanup. probe 


Time Source Destination Protocol Length Te Info ^ 
2594 58.778242 192.168.20.130 192.168.20.1 RTP 214 РТ=ІТЏ-Т 6.711 PCMU, SSRC=0x4BDB6ESA, Seq=21265, Time-97280 
2595 58.792695 192.168.20.1 192.168.20.130 ВТР 214  PT-ITU-T G.711 РСМИ, SSRC-0x294823, Seq-12503, Time-97920 
2596 58.793139 192.168.20.130 192.168.20.136 ВТР 214  PT-ITU-T G.711 РСМИ, SSRC-0x71781F5A, Seq-1568, Time-97920 
2597 58.798669 192.168.20.136 192.168.20.130 58 Payload type=RTP Event, ОТМЕ One 1 
2598 58.799694 192.168.20.130 192.168.20.1 60  Payload type-RTP Event, DTMF One 1 
2599 58.799754 192.168.20.130 192.168.20.1 60 Payload type=RTP Event, DTMF One 1 
2600 58.813964 192.168.20.1 192.168.20.130 АТР PT-ITU-T 6.711 PCMU, SSRC-0x294823, Seq-12504, Time-98080 
2601 58.814147 192.168.20.130 192.168.20.1 ВТР EVENT ` 60 Payload type-RTP Event, ОТМЕ One 1 
2602 58.814239 192.168.20.130 192.168.20.136 АТР PT-ITU-T 6.711 PCMU, SSRC-0x71781F5A, Seq-1569, Time-98080 
2603 58.818706 192.168.20.136 192.168.20.130 RTP EVENT 58 Рау1оаа type-RTP Event, ОТМЕ One 1 


Frame 2597: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) 
Ethernet II, Src: Vmware 23:37:1f (00:50:56:23:37:1f), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.136, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 4000, Dst Port: 16290 
Real-Time Transport Protocol 
4 RFC 2833 RTP Event 


End of Event: False 
- Reserved: False 
= Volume: 10 
Event Duration: 160 
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Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 


+ БЕ е аа = 


Expression... 中 torrent сівапир own 4 


Source Destination Protocol Length Ta Info 
60 33.429572 192.168.20.130 192.168.20.136 СІР 543 Status: 202 Accepted | 
61 33.429573 192.168.20.130 192.168.20.1 SIP 513 sip:2222@192.168.20.1:63825;0b | (text/plain) 
| 62 33.430944 192.168.20.1 | 192.168.20.130 SIP 348 Status: 288 OK | 


Frame 61: 513 bytes on wire (4104 bits), 513 bytes captured (4104 bits) 
Ethernet II, Src: Vmware_ab:b1:84 (00:0c:29:ab:b1:84), Dst: Vmware c0:00:08 (00:50:56:c0:00:08) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.1 
User Datagram Protocol, Src Port: 5160, Dst Port: 63825 
4 Session Initiation Protocol (MESSAGE) 

Request-Line: MESSAGE sip:2222@192.168.20.1:63825;0b SIP/2.0 
4 Message Header 

> Via: SIP/2.0/UDP 192.168.20.130:5160;branch-z9hG4bK5a87574e 

Max-Forwards: 70 


- From: "Unknown" <sip:11110192.168.20.130:5160>;tag=ase08f816f 
To: <sip:22220192.168.20.1:63825500> 


> Contact: <sip:1111@192.168.20.130:5160> 
Call-ID: 073e1f452da9a1e17dbf255754c503a90[::1]:5160 
CSeq: 102 MESSAGE 
User-Agent: FPBX-13.0.194.2(13.12.1) 
Content-Type: text/plain;charset-UTF-8 
Content-Length: 29 

4 Message Body 
4 Line-based text data: text/plain 
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PCAP2WAV: 4% TA 


€ C © Not secure | pcap2wav.xplico.org A 


Demo 


PCAP2WAV converts RTP streams to WAV files 


Demo rules: 
Codecs supported: G711ulaw, G711alaw, G722, G729, G723, G726 and RTAudio (x-msrta: Real Time * Only network files (CAP, PCAP) are allowed. 
Audio). e The maximum file size for uploads is 5 MB. 
PCAP2WAV is an Xplico customization and it runs in Linux. * Uploaded files will be deleted automatically at 00:00 GMT. 
Try it now, drag & drop here the PCAP file. е You can drag & drop files from your desktop on this webpage with Google 
This session is visible only from your IP (182.48.243.162). Chrome, Mozilla Firefox and Apple Safari. 


@ Delete 
— 
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PCAP2WAV: 上 传 PCAP 并 下 载 Wav 


< C © Not secure | pcap2wav.xplico.org À 


Demo 


PCAP2WAV converts RTP streams to WAV files 


Demo rules: 
Codecs supported: G711ulaw, G711alaw, G722, G729, G723, G726 and RTAudio (x-msrta: Real Time 。 Only network files (CAP, PCAP) are allowed. 
Audio). е The maximum file size for uploads is 5 MB. 
PCAP2WAV is an Xplico customization and it runs in Linux. e Uploaded files will be deleted automatically at 00:00 GMT. 
Try it now, drag & drop here the PCAP file. e You сап drag & drop files from your desktop on this webpage with Google 
This session is visible only from your IP (182.48.243.162). Chrome, Mozilla Firefox and Apple Safari. 


| @ Delete WAV Files: 
\ ) 


SIP+RTP_call_trace_from_ ) PBX.pcap 226.76 KB 
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PCAP2WAV: audacity 中 显示 的 Wav 文 件 


a rtp_0_1_1522092588_13080.pcap-media-1 
File Edit Select View Transport Tracks Generate Effect Analyze Help 


E | » I A = -57 -54 -51 -48 -45-42 -: Click to Start Monitoring 4 -18 -15-12 -9 -6 A 0 9 Ic) = | 
» = 
N 


4 Microphone (Realtek Hu v | 2 (Stereo) Rec: v 4) Microsoft Sound Mappe v 


L ° М ы D ° ° ° ' ° ° Q 1 ° ° ° ' ° ° g ' 
Q ө Ф; -57-54-51-48 45-42 -39 -36 -33 -30 -27 -24 -21 -18 -15-12 9 6 зо A 


0,0 1.0 2.0 3.0 


X|rtp 0 1 1527 


Mono, 8000Hz 
32-bit float 


^ 
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PCAP2WAV: 离线 脚本 


° Bash 脚 本 用 于 从 VolP 通 话 中 提取 音频 
。 Outputs .wav 为 输出 文件 
° 使 用 tshark 和 sox 


e GitHub: https://gist.github.com/avimar/d2e9d05e082ce273962d742eb9acac16 
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PCAP2WAV: 帮助 信息 


root@PentesterAcademy:/work/pcap2wav# ./pcap2wav.sh -h 
pcap2wav is a simple utility to make it easier to extract the audio from a pcap 
Dependencies: 

apt-get install -y tshark sox 

yum install wireshark sox 


Usage: 


pcap2wav [opts] filename.pcap [target filename] 


Script attempts to create a few files: a .«codec» file and a .wav file for each RTP stream 


It requires Tshark to be installed on the system. If a codec other than PCMA or PCMU 
is used then the script will attempt to use fs cli to decode and create a wav. 


Supported codecs: 

PCMU (G711 ulaw) 

PCMA (G711 Alaw) 

GSM 

G722 (requires fs encode) 

G729 (requres fs encode with mod com g729) 


Supported options: 
-Z Perform "clean and zip" - After converting to wav files the program will "clean up" 
by putting the wav files into a .tgz file and then removing 
the .wav and .«codec» files from the disk. 
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PCAP2WAV: 安装 tshark 和 sox 


rtesterAcadeny: 742774 ES 


irg package lists... Done 
Building dependency tree 
Reading state information... Done 
tshark is already the newest version (2.4.4-1). 
The following additional packages will be installed: 
libsox-fmt-alsa libsox-fmt-base libsox3 
Suggested packages: 
libsox-fmt-all 
The following NEW packages will be installed: 
libsox-fmt-alsa libsox-fmt-base libsox3 sox 
O upgraded, 4 newly installed, O to remove and 1826 not upgraded. 
Need to get 530 kB of archives. 
After this operation, 1,292 kB of additional disk space will be used. 
.edu.tw/Linux/kali kali-rolling/main amd64 libsox3 amd64 14.4.2-3 [264 kB] 
.edu.tw/Linux/kali kali-rolling/main amd64 libsox-fmt-alsa amd64 14.4.2-3 [51.3 kB] 
.edu.tw/Linux/kali kali-rolling/main amd64 libsox-fmt-base amd64 14.4.2-3 [72.8 kB] 
.edu.tw/Linux/kali kali-rolling/main amd64 sox amd64 14.4.2-3 [142 kB] 
(84.7 kB/s) 
Selecting previously unselected package libsox3:amd64. 
(Reading database ... 336924 files and directories currently installed.) 
Preparing to unpack .../libsox3 14.4.2-3 amd64.deb ... 
Unpacking libsox3: amd64 (14.4.2-3) 
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PCAP2WAV: 运行 工具 


root@PentesterAcademy:/work/pcap2wav# ./pcap2wav.sh SIP+RTP call trace from caller to PBX.pcap ./output call.wav 


Found SIP+RTP call trace from caller to PBX.pcap, working... 

Using ./output call.wav 

Checking SIP+RTP call trace from caller to PBX.pcap for RTP streams... 
Running as user "root" and group "root". This could be dangerous. 
tshark: Lua: Error during loading: 


[string "/usr/share/wireshark/init.lua"]:44: dofile has been disabled due to running Wireshark as superuser. 


reSetup/CapturePrivileges for help in running Wireshark as an unprivileged user. 
Running as user "root" and group "root". This could be dangerous. 
tshark: Lua: Error during loading: 


[string "/usr/share/wireshark/init.lua"]:44: dofile has been disabled due to running Wireshark as superuser. 


reSetup/CapturePrivileges for help in running Wireshark as an unprivileged user. 
Target files to create: 


and 

and 
Stream 1 ssrc / port: OxOfbbOc8d / 13080 
Stream 2 ssrc / port: Ox4fcef5la / 4004 


Extracting payloads 1 from OxOfbbOc8d... 

Extracting payloads 2 from Ox4fcef5la... 

Combining 2 streams into a single wav file for convenience 

No clean option specified - leaving .«codec» and .wav files on system. 


OPentesterAcademy.com 


See https://wiki.wireshark.org/Captu 


See https://wiki.wireshark.org/Captu 


PCAP2WAV: 目录 内 容 


° 运行 脚本 前 的 目录 内 容 


root@PentesterAcademy: /work/pcap2wav# ls -1 
total 232 
-rwxr-xr-x 1 root root 5927 Mar 27 01:18 pcap2wav.sh 
1 root root 226760 Mar 19 17:29 SIP+RTP call trace from caller to PBX.pcap 


° 和 运行 脚本 后 的 目录 内 容 


root@PentesterAcademy: /work/pcap2wav# ls -l 
total 592 
-rw-r--r-- 
-rw-r--r-- 
-rw-r--r-- 


root root 70240 Mar 27 03:57 output call.wav 1.PCMU 
root root 70298 Mar 27 03:57 
root root 70880 Mar 27 03:57 output call.wav 2.PCMU 


root root 760938 Mar 27 03:57 
root root 5927 Mar 27 01:18 pcap2wav.sh 
1 root root 226760 Mar 19 17:29 SIP+RTP call trace from caller to PBX.pcap 


-rw-r--r-- 
-rwxr-xr-x 


1 
1 
1 
-rw-r--r-- 1 root root 70938 Mar 27 03:57 
1 
1 
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PCAP2WAV: audacity 中 显示 的 Wav 文 件 


File Edit Select View Transport Tracks Generate Effect Analyze Help 
$ K -57-54-51-48-45-42-2 Click to Start Montoring '1 -18-15-12 -9 6 -3 0 XK и DI чн клы QQ °з 
а e * 4) K —-57 -54-51-48 -45 -42 39-36 -33-30-27 -24-21 -18-15-12 9 6 -3 0 | 电 o4) ` o 


v U Microphone (Realtek Ни м |2 (Stereo) Recc v 4) Microsoft Sound Mappe v 
0.0 1.0 2.0 3.0 
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VolPShark 


。 一 系列 Wireshark 插 件 的 集合 
一 解密 VolP 通 话 
= 导出 通 MN 
— MEAN (H BE, SMS, DTMF) 
一 基本 VolP 攻 击 


VÓIP 


。 使 用 与 Wireshark 相 同 的 GPL 


e Github: github.com/pentesteracademy/voipshark 
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VolPShark: FAB = 


。 传统 分 析 过 程 繁 琐 且 复杂 


。 大 量 的 工具 


- 需要 编译 ， 设 置 过 程 比较 耗 时 
- 使 用 起 来 相对 复杂 
- 依赖 用 户 ， 容 易 出 销 


。 ARAL SS SE JS 


VÓIP 


。 解密 过 程 中 无 法 保留 时 间 戳 、IP 地 址 等 
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为 什么 使 用 wireshark 的 插件 ? 


° 即 插 即 用 


° 插件 来 源 


- ша Ж 


іше _— í 
- 编译 的 c/ct+ 代 码 WIRESHARK 


° 利用 Wireshark 的 强大 功能 


© 独立 于 操作 系统 


° 牢固 的 用 户 基础 


Chained 
Dissector 


Wiresharktt {428 AU 


Dissector 


Post 
Dissector 


Plugin 


Listener/Tap 


Heuristic 
Dissector 
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HENTZ 


° RENT ERTI ANT 


° ТУЛА DATE ev fexeza F—T 


解析 流程 图 示例 
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HEL ARNT £a 


。 从 前 一 解析 器 获取 数据 ， 处 理 对 应 部 分 后 ， 传 递 给 下 一 解析 器 


解析 流程 图 示例 


Ethernet — Custom — IP TCP HTTP | 
Ki Chained 


Dissector 
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VolPShark: BETTE FANS + 


IP Layer 
Parser 


TCP/UDP SIP/SDP/RTP/SRTP 
Parser 
VolPShark 
Upper Layer 


Parser 


Wireshark 
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VolPShark: 忆 体 架构 


New Stream 
Notifier 


Wireshark 


SIP Audio 


Reconstruction 
Engine 


RTP/SRTP 


Encoding 
Engine 


Flow Analysis 
Engine 


ва tion Шы gege 
алы аң Correlation Extraction 
9 Engine Engine 


Packet 


Reconstruction Audio File 
Engine 
Wireshark File System 
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DISSECTOR 
TABLE 


EXTRACTOR 


SSRC, SEQ NUM 
PREDEFINED 


LABELS 


EXTRACTOR ENCRYPTED 


PAYLOAD 


DECRYPTOR 


MEDIA PORTS 
SENDER IP 
RECEIVER IP 


KEY EXTRACTOR 


MASTER KEY 
MASTER SALT 


0,2 


KEY DERIVATOR SESSION RTP PAYLOAD 
SESSION ENCRYPTION 
ENCRYPTION KEY KEY 


SESSION SALT KEY 


插件 地 址 


e (1%: Help > About Wireshark > Folders 
Windows Ubuntu 


About Wireshark 


Wireshark Authors | Folders | Plugins License 


Wireshark Authors Folders | Plugins | Keyboard Shortcuts | License | Name Folder Typical Files 
| "File" dialogs гоо capture files 
Name Location Typical Files Temp [tmp untitled capture files 
"DU Aj T Р ы, e " i i / t/. H / "дє Е " S D 
File" dialogs C:\Users\Nishant\Deskto...iting Wireshark Plugin\ capture files o Personal configuration /root/wireshark dfilters", "preferences", "eth 
Global configuration  /usr/share/wireshark "dfilters", "preferences", "ma 
Temp C:\Users\Nishant\AppData\Local\Tem untitled capture files system [etc "ethers", "ipxnets" 
Personal configuration C:\Users\Nishant Data\Roaming\Wireshark' dfilters, preferences, ethers, ... Program [usr/bin program files 


ibalconi | е | — dlt Р f Personal Plugins [root/.wireshark/plugins dissector plugins 
Global configuration C:\Program Files\Wireshar rx p, PHA n Global Plugins [usr/lib/x86 64-linux-gnu/wireshark/plugins/1.12.1 dissector plugins 
System C:\Program Files\Wireshark ethers, ipxnets 


Program C:\Program Files\Wireshark program files 


Personal Plugins C:\Users\Nishant\AppDa...ming\Wireshark\plugins dissector plugins 


Global Plugins C:\Program Files\Wireshark\plugins\2.4.5 dissector plugins 
Extcap path C:\Program Files\Wireshark\extca Extcap Plugins search path 
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RESRTP: SRTP 数 据 包 


4 Normal Call two parties.pcap — x 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
40€2@\1D BGC en Er + БЕ ааа = 


Expression... + 


No. Time Source Destination Protocol Length 5510 Sequence number Info 

Ц 177 29.311833 192.168.20.1 192.168.20.130 224 PT=ITU-T 6.711 PCMU, SSRC=0x3 

i 183 29.316949 192.168.260.130 192.168.260.132 224 PT=ITU-T G.711 PCMU, SSRC=0x6 

| 189 29.332471 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 РСМИ, SSRCzex3 

i 190 29.333063 192.168.20.130 192.168.20.132 224 PT=ITU-T 6.711 РСМИ, 55ЕС-Өхбі 

| 191 29.334585 192.168.20.132 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x1 
192 29.334904 192.168.20.130 192.168.20.1 224 PT=ITU-T 6.711 PCMU, SSRCzex4 
193 29.352961 192.168.20.1 192.168.20.130 224 PT=ITU-T 6.711 РСМИ, SSRCzex3' 

i 194 29.353301 192.168.20.130 192.168.20.132 224 PT=ITU-T G.711 РСМИ, SSRC=0x6 

| 195 29.354843 192.168.20.132 192.168.20.130 224 PT=ITU-T 6.711 РСМИ, SSRC-Ox1 
196 29.355005 192.168.20.130 192.168.20.1 224 PT=ITU-T 6.711 PCMU, SSRC=0x4 
197 29.372665 192.168.20.1 192.168.20.130 224 PT=ITU-T 6.711 PCMU, SSRCzex3 

i 198 29.372952 192.168.260.130 192.168.260.132 224 PT=ITU-T 6.711 PCMU, SSRCzex6 

| 100 ^O 27E1COD 109 IEO 90 129 109 лсо A 12A лл DT-TTII!.T / 744 OMI Conor 2..1 

< > 

> Frame 177: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

> Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 

» Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

» User Datagram Protocol, Src Port: 4000, Dst Port: 16450 

» Real-Time Transport Protocol 
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UA 

UASIP 
UAUDP 
UBERTOOTH 
UCP 

UDP 
UDP-Lite 
UDPENCAP 
UDT 

UFTP 

UHD 

ULP 

UMA 
UNISTIM 
USB 

USB DFU 
USBIP 

User og 
VCDU 

VICP 

Vines FRP 
VITA 49 
VLAN 

VNC 
VOIPSHARK 
VP8 

VRRP 


A 


| A Wireshark - Preferences 


VoIPShark 


кс = 


Help 


EAS SRTP: 解密 后 的 SRTP (RTP) 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


4m-i0611752«993e9*€$9-54aastXEX 


Expression... 4 

No Time Source Destination Protocol Length SSID Sequence number Info | | 
| Б 177 29.311833 192.168.20.1 192.168.20.130 | 224 PT=ITU-T G.711 РСМИ, SSRC=0x3' 
| 183 29.316949 192.168.20.130 192.168.20.132 224 PT=ITU-T 6.711 PCMU, SSRC=0x6! 
| 189 29.332471 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x3' 
| 190 29.333063 192.168.20.130 192.168.20.132 224 PT=ITU-T G.711 PCMU, 55КС-Өхбі 
| 191 29.334585 192.168.20.132 192.168.20.130 224 PT=ITU-T 6.711 PCMU, SSRC=0x1 
192 29.334904 192.168.20.130 192.168.20.1 224 PT=ITU-T G.711 PCMU, SSRC=0x4 
193 29.352961 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRCz0x3' 
| 194 29.353301 192.168.20.130 192.168.20.132 224 PT=ITU-T G.711 PCMU, SSRCz0x6! 
| 195 29.354843 192.168.20.132 192.168.20.130 224 PT=ITU-T 6.711 PCMU, SSRC=0x1 
196 29.355005 192.168.20.130 192.168.20.1 224 PT=ITU-T G.711 PCMU, SSRC=@x4 
197 29.372665 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=@x3' 
| 198 29.372952 192.168.20.130 192.168.20.132 224 PT=ITU-T G.711 РСМИ, SSRC=0x6! 
| 100 ^O эслеп 109 лсо эъ 129 109 лсо эъ 4120 эол от „тти .т 7144 OrMil CD Avi 
< > 


Frame 177: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 16450 

Real-Time Transport Protocol 


Vv w w w w 
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VolPShark: 导出 通话 首 频 


File Edit Мем Go Capture Analyze Statistics Telephony Wireless Tools Help 


Е г © A € së = + ІС а а а Firewall ACL Rules 


Lua k 


Sequence numb: 


No Time Source Destination : ` 
ü 177 29.311833 192.168.20.1 192.168.20.130 RTP pn s 
| 183 29.316949 192.168.20.130 192.168.20.132 RTP VOIP Attack Detection 
| 189 29.332471 192.168.20.1 192.168.20.130 RTP 224 
| 19@ 29.333063 192.168.26.136 192.168.26.132 RTP 224 
| 191 29.334585 192.168.26.132 192.168.20.130 RTP 224 
192 29.334904 192.168.20.130 192.168.20.1 RTP 224 
193 29.352961 192.168.20.1 192.168.20.130 RTP 224 
| 194 29.353301 192.168.20.130 192.168.20.132 RTP 224 
| 195 29.354843 192.168.20.132 192.168.20.130 RTP 224 
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zl 


SOM: FEMS SCS 


AM Wireshark - Export Wav 


Location 


(Default: C:Users\NishantiDocumentsi) О | 


File prefix 


(Default: PA-export) Мор-сай 
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ЛЕ Wireshark - Export Wav 4 х 


Streams Found: 4 


Stream 1 Exported Successfully! 


Please Check: C:AUsersWishantiDesktop|Voip=ca11-192.168:20.130-192.168:20.1-0x48f87780.uaV' 


Stream 2 Exported Successfully! 
Please Check: C:\Users\Nishant\Desktop\Voip-call-192.168.20.130-192.168.20.132-0x60542655 .wav 


Stream 3 Exported Successfully! 
Please Check: C:\Users\Nishant\Desktop\Voip-cal1-192.168.20.132-192.168.20.130-0x15bd2f81.wav 


Stream 4 Exported Successfully! 
Please Check: C:\Users\Nishant\Desktop\Voip-cal1-192.168.20.1-192.168.20.130-0x399071d5.wav 
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VolPShark: SIP 信 息 收集 


Go Capture Analyze Statistics  Telephony Wireless Help 
Е » SE 2 = Qaa Firewall ACL Rules 


Lua 


Time Source Destination 

29.311833 192.168.20.1 192.168.26.136 RTP T 
29.316949 192.168.20.130 ^. 192.168.20.132 RTP = VOIP Attack Detection й 6.7: 
29.332471 192.168.20.1 192.168.20.130 RTP 224 G.7: 
29.333063 192.168.20.130 192.168.20.132 RTP 224 G.7: 
29.334585 192.168.20.132 192.168.20.130 RTP 224 G.7: 
29.334904 192.168.20.130 192.168.20.1 RTP 224 G.7: 
29.352961 192.168.20.1 192.168.20.130 RTP 224 U-T 6.7 
29.353301 192.168.20.130 192.168.20.132 RTP 224 PT-ITU-T G.7: 
29.354843 192.168.20.132 192.168.20.130 RTP 224 PT-ITU-T G.7: 
29.355005 192.168.20.130 192.168.20.1 RTP 224 PT-ITU-T G.7: 
29.372665 192.168.20.1 192.168.20.130 RTP 224 PT-ITU-T G.7: 
29.372952 192.168.20.130 192.168.20.132 RTP 224 PT-ITU-T G.7: 
за э?гсаса ai (ә ДЕ JA 499 109 440 NA 420 DTD ке kt) Le a gn ка E T A Ц 
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SIP 信 息 收 集 : ОТМЕ 


А Wireshark - DTMF Sequence ? X 


Call Source | Call Destination | Media Port DTMF Sequence 


192.168.20.130 | 192.168.20.1 


е | мә [бе 
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SIP 信 息 收 集 : 扩展 


| Wireshark - Extensions 


Reset | 


Search 


| 192.168.26.1 MicroSIP/3.18.2 
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SIP 信 息 收 集 : RTP 数 据 包 传送 


4 Wireshark - RTP Packet Transfers ? X 


Call ID Media Port | Packets Sent | Packets Recieved | 


|df715f19130d447a8d790f6c57c6a049| 192.168.20.130 | 192.168.20.132 | 17786<->4000 


Highlight: | | 
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SiP 信 息 收 集 : SIP 认 证 导出 


M Wireshark - SIP Auth Export ? X 


| 192.168.26.132 | 192.168.20.130 
$sip$***1111*asterisk*REGISTER*sip*192.168.20.130**1522268723/ 
f872129e9c735809884cb64de141967e*1c109c4b8a064ef5ae277c4d7d07c4d1*00000001*auth*MD5*6a09af4b796d1b5ff376726f 


a9aelad9 


| 192.168.20.1 | 192.168.26.136 | f28aa9d6f10944e06f8693337fd3ba19 
$sip$***2222*asterisk*REGISTER*sip*192.168.20.130**1522268729/ 
b27f0c3e27b25533a8ae9a41de712696*81aca7938c994d1d93d4abc8007095b5*00000001*auth*MD5*f28aa9d6f10944e06f869333 


7fd3ba19 
| 


ма || ж Га | 
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SIP 信 息 收 集 : B SS AS IT DS 


M Wireshark . Servers and Proxy ? X 


Reset |Search 
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M Wireshark - Unique Messages ? X 


Message 


|  192.168.20.130 | 


Highlight: | 
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VolPShark: VolP 攻 击 检测 


ture Analyze Statistics Telephony Wireless Tools Help 


| Q € Sg V = = aa à Firewall ACL Rules 


жш : 


Export Wav 


ле» лсо 


за 129 


109 120 эа 120 


IIA 
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DT-TTI!I-T 


Source Destination — . | Sequence number ` Info 

| 192.168.20.1 |192.168.20.130 ВТР m A EE —— PT-TTII-T 6.711 
192.168.20.130 192.168.20.132 RTP T 6.711 
192.168.20.1 192.168.20.130 RTP 16.71 
192.168.20.130 192.168.20.132 RTP Т 6.711 
192.168.20.132 192.168.20.130 RTP Т 6.711 
192.168.20.130 192.168.20.1 RTP Т 6.711 
192.168.20.1 192.168.20.130 RTP T G.711 
192.168.20.130 192.168.20.132 RTP 224 PT=ITU-T 6.711 
192.168.20.132 192.168.20.130 RTP 224 PT-ITU-T G.711 
192.168.20.130 192.168.20.1 RTP 224 PT-ITU-T G.711 
192.168.20.1 192.168.20.130 RTP 224 PT-ITU-T G.711 
192.168.20.130 192.168.20.132 RTP 224 PT-ITU-T G.711 


VolP 攻 击 检 测 : 暴力 破解 


M Wireshark . Brute Force ? x 
| S.no | Attacker Machine | Target Extension | Target Machine | Requests Sent | Failed Attempts | Requests Per second | 
€———————————— | 
| 1 | 192.168.20.134 | 1111 | 192.168.20.130 | 7 | 6 | 167.54 | 
(—————À | 
| 2 | 192.168.20.134 | 2222 | 192.168.20.130 | 9 | 8 | 151.65 | 


Highlight: 
Reset Search [| cose | 
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VolP 攻 击 检 测 : Invito 246 


M Wireshark - Invite Flooding ? X 


192.168.20.134 | PentesterAcademy 


Highlight: | 
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VolP 攻 击 检 测 : ROO ZA 


M Wireshark . Message Flooding 


192.168.20.134 | 192.168.26.136 | 


Reset 


Search 
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VolP 攻 击 检测 : 中 间 人 攻击 


M Wireshark - MITM Attempts ? X 


00:0c:29:9c:2f:3f | 48:0f:cf:4b:06:c9 |48:0f:cf:4b:06:c9| 
| ,48:0f:cf:4b:06:c9 | ,f8:a9:63:4b:c4:4d | 


Reset || zeg |[ Cow _ 


OPentesterAcademy.com 


VolP 攻 击 检 测 : 未 认证 用 三 


M Wireshark - Unauthenticated Users ? X 


Username | Call Destination | 


ШЕ 


OPentesterAcademy.com 


xX —s 


8877 


OPentesterAcademy.com 


dela] PA 


Github: github.com/pentesteracademy/voipshark 
nishant@attackdefense.com 
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